I'm a security newbie. I'm implementing oauth on my site and I want to ask where I should save my access token:
I have backend (restful) and frontend (SPA). Communication only between them.
By the way what is recommended expire time for oauth?
Storing the access token in cookies may be vulnerable to some client side attacks (stealing user cookies for example). Use session instead and HTTPS for communication.
Depending on different flows that you want or have to use (authorization code, implicit grand, resource owner password or client credentials flows) you might need an authorization token and definitively an access token. The authorization token can be stored in the database and can have TTL of more days whereas the access token (around 5 min or configurable) is more short lived and can be stored on the server into a list accessible by different clients (synch!). OAuth2 doesn’t make use of signature and therefore HTTPS is a must. The token shouldn’t be stored inside as the cookie as it’s not place to be for different reason (cache, transport vulnerability, ..). As the access token is linked to the user it can be saved inside the session of the client application.
Maybe it's simpler to use a library that managed it correctly for you.
Check this javascript library
