By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Securely Store OAuth Tokens for Multiple Users and Apps?

0

I'm building a platform that acts as a hub for various apps (like Slack, Zoom, Dropbox, etc.), where users can receive triggers and perform actions. The flow is as follows:

  1. A user authorizes an app on our platform like zoom
  2. Once authorized, the app sends us an OAuth token for that user. "Given that we might have 1000s of users and 100s of apps, we need to securely store these OAuth tokens at the user level for each app" The challenge is how to do this securely and cost-effectively. We've considered AWS KMS and Secrets Manager, but they might be "expensive" for our use case. Can anyone recommend best practices or alternative solutions for securely storing these tokens? How do large-scale platforms handle this? i belive hashicorp vault is hard to manage.
Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
Bhanu
asked 7 months ago642 views
1 Answer
1

Hi Bhanu,

I am unsure why AWS KMS would be expensive for your use case. You could easily store each user's OAuth token in an encrypted DynamoDB table with KMS. I wouldn't use the AWS secrets manager in this case; that would be useful for your own system secrets.

In terms of costs, you would only have to pay for KMS $1/month for a key and then $0.03 for each 10,000 requests. And DynamoDB, you have a free tier of up to 200M requests per month.

Could you please elaborate a little bit more on your concern?

Reference:

If the answer is helpful, please click "Accept Answer" and upvote it.

profile picture
EXPERT
Ivan Casco
answered 7 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Bhanu
    7 months ago

    Hi Ivan,

    What about secrets manger in this case? Thanks for the reply. I'd like to clarify a few points:

    Cost Concerns with KMS and Secrets Manager:

    If we consider 1000 users, each connected to 5 apps, that's 5000 unique OAuth tokens we need to store securely. Using AWS KMS, if each token requires its own key, the cost would indeed be significant. However, I believe there might be a misunderstanding. Typically, we would use a single master key to encrypt all the tokens, not a unique key for each token. This would drastically reduce the KMS costs.

    On the other hand, AWS Secrets Manager charges per secret. If we were to store each token as a separate secret, the costs could accumulate quickly, especially with a large user base and multiple apps.

    OAuth at the App Level: OAuth is designed to allow third-party applications to access user-specific resources without exposing user credentials. Here's a simplified flow: User Authorization: A user decides to integrate a third-party app (e.g., Slack) within our platform. They are redirected to the app's authorization page. Granting Permission: The user logs in and grants our platform permission to access specific data or perform actions on their behalf. Receiving the Authorization Code: Post permission, the third-party app redirects the user back to our platform with an authorization code. Exchanging the Code for Tokens: We exchange this code for an access token (and optionally, a refresh token) via a server-to-server request.

  • Ivan Casco EXPERT
    7 months ago

    Correct, you only need one KMS key to encrypt all the users tokens. Secrets manager is for another usecase, like storing database credentials, I wouldn’t recommend it in your case.

    If my answer helped you please accept my answer, as it helps me and it incentives me to keep posting in this platform.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content