This discussion is archived
2 Replies Latest reply: Dec 17, 2012 9:25 AM by 912332 RSS

Suggestion about handling an OAuth refresh token from a JavaFX app?

912332 Newbie
Currently Being Moderated
I'm working on a browser-embedded JavaFX application and I'd like to OAuth to authenticate with some web service. The web service provides an Access Token and a Refresh Token.

The challenge I'm facing is that the application needs to securely store the Refresh Token someplace so that once the Access Token expires, you can generate a new one. (The Access Token doesn't need to be stored anywhere -- it's only used while the application is running, and thus stays in RAM and nowhere else.)

It seems like iOS and Android have some sort of keystore objects for developers to store this kind of information, but I'm not seeing the same thing for Windows and Mac.

Has anyone faced this situation before? Any suggestions on how to securely store the Refresh Token are appreciated.

~~ Michael
  • 1. Re: Suggestion about handling an OAuth refresh token from a JavaFX app?
    jsmith Guru
    Currently Being Moderated
    You can create a Java Keystore and save it as a file (that is easiest and is cross platform and is what I would recommend if it works for you).

    You can access Windows Secure Cryptographic Storage using VBScript (in IE) embedded in the page (not really recommended...) or by calling out to a native library shipped with your code (http://msdn.microsoft.com/en-us/library/aa380256%28v=vs.85%29.aspx).

    You can access the Mac OS X KeyChain by calling out to a native library shipped with your code (http://en.wikipedia.org/wiki/Keychain_%28Mac_OS%29).

    If using the Java Keystore, you will need a password to protect the keystore containing the refresh token. You may want to prompt the user for this password (in a JavaFX password field) on keystore creation and use so that you are not storing it on the client.

    You'll likely need to sign your application to allow it to make use of the facilities required.
  • 2. Re: Suggestion about handling an OAuth refresh token from a JavaFX app?
    912332 Newbie
    Currently Being Moderated
    Thanks so much for your suggestions, I do appreciate it.

    I think the topic would make a fascinating and useful article for someone to write. I would think more and more developers would be facing this challenge.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points