Is it safe to store Access Token as a String during application's runtime

Question

I am working on an integration, where I need to make repetitive calls to another system. As of now, I fetch the Access Token for every call, which is extremely bad, as I make more than 300 calls. Fetching token for each call is expensive.

I wanted to get the access token first and store it till the time the sync is not completed, and afterward, I don't want it to be in the memory.

What would the best and secure way to store the token during this time.

I am thinking of using the below dependency to check whether the token has expired or not, if it is expired then only I want to fetch it again.

<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>java-jwt</artifactId>
    <version>4.0.0</version>
</dependency>

Is this approach correct? If not could someone please tell me what would be the best way to do it?

Answer 1

We (devs) are so not used to think about threat modeling at all. That's why we end up asking questions like these all the time. The proper question is: what are you afraid of?

Are you trying to protect the application from the remote attacker with no access to the client machine? Store the token any way you like and make sure you protect the channel over TLS.

Do you want to protect the app from the attacker that has physical access to the device? Impossible. We sometimes tend to encrypt secrets when they are in memory to protect from dumping memory and analyzing them but this only makes sense with passwords and other static secrets. Tokens usually get rotated to often to have significant amount of time to perform such attack.

The problem arises, when you want to store the secrets physically on the drive somewhere to be available for many user sessions. In this case encryption might be the answer. But guess what? Once you encrypt now you have the problem with protecting the encryption key! So you did not solve the problem, you just shifted it somewhere else.

You can also play the game otherwise. Go and ask the security department (assuming you work for a company) which security requirements are to be fulfilled when dealing with secrets like tokens.