Understanding Secure Token Storage
Which method is generally recommended for securely storing OAuth access tokens on a mobile device?
- Using the device's secure storage system, such as Keystore or Keychain
- Storing in plain text files within the app's directory
- Saving in browser localStorage without encryption
- Committing the token directly into the app's codebase
- Including the token as a query parameter in URLs
Client Secret Handling
When using the OAuth client credentials flow, how should the client secret be stored?
- In an environment variable or securely managed server-side secret store
- In JavaScript files sent to the browser
- As a public constant within the app's code
- In cookies accessible via JavaScript
- Written in comments in the code
Danger of Token Exposure
What is a major risk if you accidentally commit OAuth access tokens or client secrets to a public code repository?
- Unauthorized users may use the credentials to access protected resources
- Your app will gain performance benefits
- Tokens will automatically renew themselves for additional security
- The application will stop working offline
- Tokens become encrypted by default
Best Practice for Token Revocation
What should your application do when an OAuth access token is no longer needed, such as on user logout?
- Revoke and delete the token from all storage
- Keep the token for future reuse
- Email the token to the user
- Store the token in browser session storage indefinitely
- Archive the token in a database backup
Avoiding Token Hardcoding
Why is it a bad idea to hardcode OAuth access tokens in source code or configuration files?
- They may be accidentally exposed and used by unauthorized parties
- It increases app battery usage
- Hardcoded tokens cannot be revoked
- Tokens will expire more quickly
- Token refresh will stop working
Minimizing Token Scope
According to OAuth best practices, what is the recommended approach when requesting user authorization scopes?
- Request only the minimum scopes needed for the current task
- Always request all possible scopes at the initial authentication
- Request scopes randomly to diversify permissions
- Use the same set of scopes for every user regardless of their actions
- Combine multiple tokens to increase privilege
Selecting Storage Location for Web Apps
In a web application, where is the most secure location to temporarily store an access token during an active session?
- In application memory (such as a JavaScript variable)
- In browser localStorage
- Inside an HTML data attribute
- Within an unsecured cookie
- Written to the console log
Handling Token Expiry
If an access token expires and a refresh token is available, what should your application do?
- Use the refresh token to obtain a new access token
- Continue sending requests with the expired token indefinitely
- Prompt the user to restart the application
- Manually edit the access token's expiration date
- Ignore token expiration and proceed
Native vs Embedded Authentication
For mobile or desktop apps, what is the best practice for presenting OAuth authorization to users?
- Use the device's native browser for the OAuth flow
- Embed the authorization page in a webview
- Hardcode the expected access token
- Send the user a plain text email with the token
- Use an iframe to display the authorization page
Token Management on Logout
Upon logout in a typical application, which is the correct way to handle stored OAuth access and refresh tokens?
- Delete them from all storage and notify the authorization server to revoke them
- Keep them in memory for the next user session
- Export them to an external file
- Email them to the administrator for backup
- Store them in logs to audit access
