Re: Storing an "OAuth consumer secret"

On 14-Dec-2011 10:05 , James Lampert wrote:

On our current Google Calendar Integration project, I've managed to
reach a point where I'm looking for a place to safely store the
customer's "OAuth consumer secret" used to sign requests to the
Google Apps web services, where it's at least safe from casual
inspection.

Any suggestions?

If customers already are tracked to a database file, then perhaps store the value encrypted in a column of that database file.? Since v5r3 there is some SQL built-in support to do so, without having to code to the encryption\decryption via Cryptographic Services APIs.

create table cust_secret
( custid int
, secret varchar (##) for bit data /* sized and 8byte-align */
)

update cust_secret
set secret=encrypt(:given_secret, :password, :hint)
/* other encryption scalar functions may exist */
/* ENCRYPT is alternative name for ENCRYPT_RC2 */
/* pre-v5r3 external UDF could effect similar */
where custid=:cn

When a customer needs to sign requests, the "secret" data for their customer number can be decrypted using the appropriate decryption-to-character scalar and the same password that was specified when their "secret" value was originally encrypted. As long as the password that was used to encrypt the "secret" value is never stored, then their "secret" value should be safe from "casual inspection" either directly or by decryption, except when the password is obtained again from the customer [by the application] for that decryption request; i.e. the "secret" value would be decrypted only when the customer supplies the password to the application, and that decrypted "secret" value could exist\persist only during execution of the service [if the application properly clears both the password and decrypted value for both normal and abnormal terminations]. The application could expose the hint to the customer via the GETHINT scalar, upon request, if desirable.

Regards, Chuck