First, there is a registered application that has consumer_keyand consumer_secret.

首先，有一个注册的应用程序具有consumer_key和consumer_secret。

When users authenticate and "allow" your registered application, you get back: an access_tokenthat is considered the user's "password" and would allow JUST YOUR application to act on the user's behalf.

当用户验证并“允许”您注册的应用程序时，您会返回： 一个access_token被视为用户的“密码”并且将允许您的应用程序代表用户执行操作。

So, getting just the user's access_tokenfrom your database won't help much if they don't also have the consumer_keyand consumer_secretfor complete access.

所以，想起来了用户的access_token从你的数据库将帮助不大，如果他们不也有consumer_key和consumer_secret的完全访问权限。

The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.

服务提供商根据请求比较所有 4 个参数。在存储之前加密这 4 个参数并在响应之前解密它们是明智的。

This is just when you need to update or make changes to the user's resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.

这只是当您需要代表用户更新或更改用户的资源所有者时。要保持用户登录您的站点，请使用会话。

The OAuth Token and Secret should both obviously be kept safe in your database, but you can't store them using 1 way encryption the same way you would for a password. The reason being is that you need the token and secret to be able to sign the request.

OAuth Token 和 Secret 显然都应该在您的数据库中保持安全，但是您不能像使用密码一样使用单向加密来存储它们。原因是您需要令牌和秘密才能对请求进行签名。

This would also be the case if you are running an OAuth server, you still need the original token/secret to verify the request.

如果您正在运行 OAuth 服务器，情况也会如此，您仍然需要原始令牌/秘密来验证请求。

If you want to you could still encrypt them using a 2 way encryption algorithm such as AES to offer security in case your database or database backups get compromised.

如果您愿意，您仍然可以使用 AES 等 2 路加密算法对它们进行加密，以提供安全性，以防您的数据库或数据库备份受到损害。

There's two schools of thought here.

这里有两种思想流派。

The first argument is that: you should treat OAuth tokens like passwords. If anyone were to access your database, obtain all the OpenID/OAuth pairs and run an man-in-the-middle attack, they could impersonate any user on your site.

第一个参数是：您应该像对待密码一样对待 OAuth 令牌。如果有人访问您的数据库、获取所有 OpenID/OAuth 对并运行中间人攻击，他们就可以冒充您站点上的任何用户。

The second argument is this: by the time someone has access to your database and sufficient access to your network to run an man-in-the-middle attack, you're hosed anyway.

第二个论点是：当有人可以访问您的数据库并有足够的权限访问您的网络以运行中间人攻击时，您无论如何都会被浇灌。

I'd personally err on the side of caution and just encrypt them; it's a standard practice for passwords, so you might as well give yourself just that little extra peace of mind.

我个人会谨慎行事，只是加密它们；这是密码的标准做法，因此您不妨让自己稍微放心一些。

Meanwhile, Google has this advice:

同时，谷歌有这样的建议：

"Tokens should be treated as securely as any other sensitive information stored on the server."

“应该像对待存储在服务器上的任何其他敏感信息一样安全地对待令牌。”

source: http://code.google.com/apis/accounts/docs/OAuth.html

来源：http: //code.google.com/apis/accounts/docs/OAuth.html

And some random guy on the web has specific implementation advice:

网络上的一些随机家伙有具体的实现建议：

• If they're on a regular disk file, protect them using filesystem permissions, make sure that they're encrypted, and hide the password well
• If they're in a database, encrypt the fields, store the key well, and protect access to the database itself carefully. *
• If they're in LDAP, do the same.

• 如果它们位于常规磁盘文件上，请使用文件系统权限保护它们，确保它们已加密，并妥善隐藏密码
• 如果它们在数据库中，请加密字段，妥善保存密钥，并小心保护对数据库本身的访问。*
• 如果它们在 LDAP 中，请执行相同操作。

archived post(original post URL, now a dead link)

存档帖子（原始帖子 URL，现在是死链接）

OpenID URL shouldn't be encrypted because this is your "open id" literally, everyone should know the value. Besides, the URL needs to be an index in the database and it's always problematic to encrypt the index in the database.

OpenID URL 不应该被加密，因为这就是你的“开放 ID”，每个人都应该知道这个值。此外，URL需要是数据库中的索引，并且在数据库中加密索引总是有问题的。

OAuth token/secret should be secret and encryption may improve security if you have to store the token long term. In our OAuth consumer application, token/secret is only stored in session for a short while and we choose not to encrypt them. I think that's secure enough. If someone can peek into our session storage, they probably have our encryption key also.

OAuth 令牌/秘密应该是秘密的，如果您必须长期存储令牌，加密可以提高安全性。在我们的 OAuth 消费者应用程序中，令牌/秘密仅在会话中存储一小段时间，我们选择不加密它们。我认为这已经足够安全了。如果有人可以窥视我们的会话存储，他们可能也拥有我们的加密密钥。

Yes, these should be symmetrically encrypted (say, AES-256 in CBC mode) at rest in a database. A simple way to encrypt these tokens is using SecureDB's Encryption as a Service RESTful APIs.

是的，这些应该在数据库中静态对称加密（例如，CBC 模式下的 AES-256）。加密这些令牌的一种简单方法是使用SecureDB的加密即服务 RESTful API。

Disclosure: I work at SecureDB.

披露：我在 SecureDB 工作。