I am experimenting with an esp8266 (at the moment a wemos d1 mini, but subject to change) and Oauth2.0 flow.
What I want to do is to make an IOT device that transfers sensor data to a platform. This platform is secured and I need to traverse the Oath2.0 flow to obtain an access and refresh token.
Although this is a personal project, I would like to use this as a learning experience for if I would make this a commercial product. So I will make a captive portal, allowing users to enter their Wifi credentials to connect to their wifi network. And enter their username & password for the external system to login through Oauth2.0 flow.
So here is the question I am having: How can I securely store information such as(, but not limited to) the SSID, SSIDPassword and the refreshtoken?
Is it safe to store this in flash memory (using EEPROM), or could this information be potentially obtained when someone would get their hands on one of the units? How do commercial products tackle this?
Note that I have not yet worked with flash memory, so sorry if my question is of low quality.