pythonoauth-2.0spotifypkce

Reauthenticate a user with OAuth2.0

I was wondering what the best practice to reauthenticate a user with OAuth2.0 is. Specifically for a desktop program that is using Spotify's Authorization Code with PKCE Flow. I'm pretty sure I need to store the Refresh Token to do so, I've already implemented this and it works perfectly. I am asking since I'm aware of the threats of someone gaining access to this Token according to RFC 6819.

Is it okay to simply encrypt and store the Refresh Token in a file? What encryption would be preferable? Or should I use a completely different value for reauthenticating the user?

Sorry if this is a very simple problem but I am new to OAuth2.0 and so far I've been unable to find something regarding desktop programs without databases.

Solution

  • TLDR;

    First, refer to this document OAuth 2.0 Security Best Current Practice which is periodically updated instead of RFC6819 which hasn't been updated in a while.

    A couple of general best practices:

    1. Limit what scopes you request to the bare min. required. This provides some mitigation by restricting what each token is capable of doing or seeing vs. making a single "God" token that can do everything.
    2. Session tokens are generally the most secure method with a backend available. Create a session token that serves as the lookup key for the refresh token (or other valuable data) stored securely by the backend.

    Refresh tokens were designed as a way to NOT require the user to re-authenticate/authorize when retrieving a new access token. If you don't care about this, then don't use the refresh tokens and have the user re-authenticate/authorize when the access token is expired.

    If you're talking specifically about using Spotify's API, then you don't have much control over what the authz server, aka Spotify, can do or the options provided. Spotify currently expires access tokens in 1 hr and always provides a refresh token in the response (although, you don't have to use it) and provides a new refresh token in the response when refreshing an access token.

    Since Spotify provides a new refresh token with each refresh, you can periodically refresh to create your own "rolling" mechanism. That way if a refresh token leaked at some point, there's a shorter time frame when it can be used (your rolling duration). For example, every 15min., use the refresh token to retrieve a new access token AND new refresh token. *I am making an assumption that Spotify is revoking the older refresh token, but they don't explicitly mention that, so you may want to test if trying this out.