Where to store OAuth 2.0 client id and secret?

I'm building some functionality within one of my WordPress sites that integrates with a third-party API, and that API uses OAuth 2.0.

I use both the client ID and secret every time I need a new access token, which is going to be at least once a day as the access token expires after 24 hours. (Generating a new access token also generates a new refresh token, and the previous refresh token is invalidated.) I'm storing the tokens in the options table in the database, along with the expires_in time.

Where should I be storing my client ID and secret? Is there a typical place to store things like this within WordPress? Right now I just have them defined in the wp-config.php. While I'm thinking this should work well, are there any potential drawbacks to this method, particularly regarding security of the client secret?

Topic oauth wp-config api security Wordpress

Category Web

1
answered at

This depends on what is it that you are developing. If it is a plugin, you have to store such settings in options as the last thing site owner should be asked to do is to modify their config file.

If it is your own site, just make it a constant that is declared in your code if you do not want it to be configurable by the admin. There is no advantage in keeping it in some non obvious place which is harder to find when inspecting the code.

As for security, in theory having it in the code is more secure, as you do not have to worry about someone hacking into the DB, but in practice, since if someone can get into your DB you are already toast (he will add its own admin user...), it makes almost zero difference. (the only difference I can think of is getting a dump of the DB, but this kind of hack is still hard and probably super rare)

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.