During a regular OAuth dance, you receive and save users OAuth access keys and secrets. Each time you need to act on behalf of the user you'll retrieve an access key and secret.<p>Question is: how do you store this information and prevent an attacker from getting access to it?
I've been thinking about this as well; the results I could find are from quite a while ago, but in general the answer is to use a reversible encryption like AES [1] along with secure storage of the encryption key [2], preferably on another server or in an isolated part of the server. Not particularly satisfying, is it...<p>[1]: <a href="http://stackoverflow.com/questions/1878830/securly-storing-openid-identifiers-and-oauth-tokens" rel="nofollow">http://stackoverflow.com/questions/1878830/securly-storing-o...</a><p>[2]: <a href="http://security.stackexchange.com/questions/12332/where-to-store-a-key-for-encryption" rel="nofollow">http://security.stackexchange.com/questions/12332/where-to-s...</a>
On iOS I store that info in the keychain. In database I believe it is usually stored in plain text as the user can at anytime remove access to the credentials on the 3rd party's site.