Almost all answers about access token says you need to store it in keychain, however the access token I am implementing is only valid for 5 minutes after a user login. The access token is returned by the login API.
Right now the implementation is it is being stored in keychain which then creates problems for customers since the access token is not cleared in keychain when the OS suspends or terminates the app, this happens when a user signs in and never signs out. There is no 100% way to detect this.
Due to a bad design, we have na existing API that is called in pre-login or post login, and will have different response that depends if you pass an access token, the invalid access token gets passed and the user sees an error even if he just launched the app.
Since the access token is short-lived, I want to fix this issue by not saving it in keychain and just keep it in memory/singleton variable so that it only lives for as long as the app is active/running.
Any thoughts on this?
If the data is exclusively used while running, there is no benefit to storing it in the keychain. One might imagine cases where there were a benefit due to clearing the token when not in use, but it is incredibly difficult to actually clear data from memory (and especially in Swift), so this is unlikely to be useful. You're going to have somewhere between "just as good" and better data protection by only storing it in memory. You certainly won't make things worse.