We have a number of clients that use our API to power their websites.
I have started a conversation at work about using OAuth to make authenticated API Calls. We will have both, two and three legged flows.
For the 3-legged flow, we still have not come to a consensus on how to store the access token and secret.
The common approach to this problem would be to have the clients store the access token and secret in their own DB, but that is out of the question as the clients don't want to deal with code changes and implementation issues.
The other options we are considering:
1) Saving the access token and secret in a cookie
2) Saving them in the session.
I'm not sure whether either of these is a good idea. Does anyone have any suggestions?
Thank you.