access-token

What security measures should I put in place to ensure that, were my database to be compromised, long-life access tokens could not be stolen? A long-life access token is as good as a username and password for a particular service, but from talking to others it seems most (myself included) store access tokens in plain text. This seems to be to be just as bad as storing a password in plain text. Obviously one cannot salt & hash the token. Ideally I'd want to encrypt them, but I'm unsure of the best way to do this, especially on an open source project. I imagine the answer to this question is

Do Facebook APP access tokens expire? These tokens are different than the USER tokens; they are acquired like this: https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id={0}&client_secret={1}) as described in the App Login section of the document at http://developers.facebook.com/docs/authentication/ . Are there any circumstances under which they will become invalid? NB: This is NOT a question about USER access tokens (which are clearly documented). There was an identical question http://facebook.stackoverflow.com/questions/7322063/does-app-login-access-token

I have an Angular application (SPA) that communicates with a REST API server and I'm interested in finding out the best method to store an access token that is returned from an API server so that the Angular client can use it to authenticate future requests to the API. For security reasons, I would like to store it as a browser session variable so that the token is not persisted after the browser is closed. I'm implementing a slightly customized version of OAuth 2.0 using the Resource Owner Password grant. The Angular application provides a form for the user to enter their username and