I'm creating a nodejs app that will use OAuth to get access tokens from a CRM system. This access token will have pretty much access to all the data in that system, though my application is only concerned with a very specific set of data.
After someone has granted OAuth access, I can login to redis and see their access token. If I wanted, I could use that token to retrieve a lot of data from their CRM - this is a power and responsibility that I do not want to have.
So I want the access tokens to be encrypted in redis in a way that even I can't decrypt them, but that can somehow be decrypted when my app needs to make API calls to the CRM.
If I encrypted with a public/private key, I'd still have access to the private key.
I thought of creating a public/private key when the user logs in, and return the private key as a cookie. That way, when the browser makes an API call, the cookie will be the key that can be used to decrypt the token. Still, the cookie will have to be saved in the payload that I sent to my background job for making API calls.
It seems that no matter what, as the owner of the application, I will always have access to the access tokens.
Are there any approaches to prevent this?
Aucun commentaire:
Enregistrer un commentaire