I'm working on a browser-embedded JavaFX application and I'd like to OAuth to authenticate with some web service. The web service provides an Access Token and a Refresh Token.
The challenge I'm facing is that the application needs to securely store the Refresh Token someplace so that once the Access Token expires, you can generate a new one. (The Access Token doesn't need to be stored anywhere -- it's only used while the application is running, and thus stays in RAM and nowhere else.)
It seems like iOS and Android have some sort of keystore objects for developers to store this kind of information, but I'm not seeing the same thing for Windows and Mac.
Has anyone faced this situation before? Any suggestions on how to securely store the Refresh Token are appreciated.
You can create a Java Keystore and save it as a file (that is easiest and is cross platform and is what I would recommend if it works for you).
You can access Windows Secure Cryptographic Storage using VBScript (in IE) embedded in the page (not really recommended...) or by calling out to a native library shipped with your code (http://msdn.microsoft.com/en-us/library/aa380256%28v=vs.85%29.aspx).
You can access the Mac OS X KeyChain by calling out to a native library shipped with your code (http://en.wikipedia.org/wiki/Keychain_%28Mac_OS%29).
If using the Java Keystore, you will need a password to protect the keystore containing the refresh token. You may want to prompt the user for this password (in a JavaFX password field) on keystore creation and use so that you are not storing it on the client.
You'll likely need to sign your application to allow it to make use of the facilities required.
Thanks so much for your suggestions, I do appreciate it.
I think the topic would make a fascinating and useful article for someone to write. I would think more and more developers would be facing this challenge.