uhm-coe
Save Oauth2 Access Token in User Meta
Now, the Access Token and Refresh Token are stored in the database. After login, the tokens are encrypted using the login key of the WordPress system and stored as usermeta in the database as “encrypted_token”. Before logout, the corresponding entry is removed from the metadata. The token can then be used by other plugins, e.g., for calling APIs.
Thanks for the pull request, we'll work on reviewing it and let you know if we have any comments/questions. Since caching OAuth tokens has security implications, we'll want to do a more thorough review.
Can you let us know your use case for reusing the tokens in another plugin?
We have an API that is secured with OAuth2. Therefore, we need the access and refresh tokens to obtain the relevant information. I thought I would share the change with you, as we have already made it.
If you decide that it does not fit into your strategy, I won't be upset if you choose not to merge it. Maybe you can add a checkbox in the settings for this feature if needed.
Thanks for keeping this updated; we'll work on getting it merged in the next release cycle. These are the open chores as I see them:
- Add an option to Authorizer Settings to enabled/opt-in to this behavior (we can tackle this one, the code for options is super messy :)
- Reference the code forked from Google Site Kit: https://github.com/google/site-kit-wp/blob/develop/includes/Core/Storage/Data_Encryption.php (it is Apache licensed so we should be able to include it in this GPLv3 project: https://www.apache.org/licenses/GPL-compatibility.html)
- Use WordPress PHP Coding Standards: https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/