Comment on How to store user's access tokens/API keys without hashing them?

<- View Parent
pe1uca@lemmy.pe1uca.dev ⁨1⁩ ⁨year⁩ ago

Someone want’s me to implement a way to access a resource without having to make the extra HTTP calls required by OAuth, WSSE is a possibility since I saw it had some standards to send the credentials in a secure way.
I have been reading about WSSE for less than a week '^-^

Yeah, the idea would be the tokens used to generate the digest WSSE requires will live in our secure environment, and that’s the question: how is a secure environment created to store tokens/API keys of users which will be used to authenticate them into my API?
I haven’t implemented this kind of stuff so I don’t know what are the best practices to store this kind of sensitive data.
So, I’d need to research password vaults to store my user’s secrets so I can use them to authenticate them?

I went into WSSE since sending a client id + secret seems just rewording of basic authentication and well, sending the credentials in plain text seems more insecure than sending a hash.

source
Sort:hotnewtop