Client OAuth implementation on devices with no permanent storage

I'm implementing an OAuth consumer, which will run on various set-top-boxes. Some of them don't provide any means of storing user data permanently. When the STB is switched off, all data is lost (apart from firmware, of course). How can I store access tokens then? The demand is that user 开发者_如何学编程should authenticate only once and that the access tokens have long validity (until revoked by the user him/herself). So authenticating every time the STB is switched on is out of the question. Is OAuth in this case worthless? Can I use some other data (for instance MAC or some unique HW data) instead of access tokens? I know those can be spoofed, but I don't have any other ideas.

Ah, BTW, I'm implementing the server side (the service provider), too, but since it will be used by 3rd party consumers, too, I have to provide the "proper" OAuth for them, and can make some tweaks for my consumer application, since it is obviously a trusted one.

Thanks!

Can you have a web service on the server side (protected by SSL and digital certificate to make sure no one else can access it) that takes some unique MAC (or HW data) and returns the proper OAuth token to the STB?

So the flow would be: 1) STB boots up, sends unique HW data to server via web service to retrieve OAuth Token - If token exists, go to step 4 otherwise go to step 2 2) User does OAuth authentication at STB. 3) STB stores token in local memory and sends it via web service to server side along with some unique HW data 4) STB uses OAuth token to do normal functions 5) STB is unplugged, turned off, etc that makes it lose token from local memory Back to Step 1.

Issues to look out for: A) User returns STB since they no longer want service. You need to clear the token somehow in case another user gets that STB. You don't want new user getting old user's data B) STB break and user has to get a new one. Should they have to re-authenticate or would the token move over automatically to new unique HW data