浏览器应用程序和身份验证令牌再次
[英]Browser applications and auth tokens again
问题描述
I've been reviewing how we should handle OAuth authentication in our browser application (SPA), and there's a whole bunch of articles out there that makes it all really confusing... I'm really missing something concrete and best practice guidance for a very simple setup. 
我一直在审查我们应该如何在浏览器应用程序(SPA)中处理OAuth身份验证,并且有大量的文章使这一切都变得令人困惑...我确实缺少一些具体的最佳实践指导,安装非常简单。
We have this ASP.NET Web API 2 that's protected using tokens issued by IdSvr3. 我们拥有这个ASP.NET Web API 2,它使用IdSvr3发行的令牌进行了保护。 So far so good. 到现在为止还挺好。 Works with native clients and server apps. 与本机客户端和服务器应用程序一起使用。
Now to the browser stuff... Looking at a sample such as JavaScriptImplicitClient which uses the oidc-client-js library to retrieve tokens using the implicit flow. 现在浏览器中的内容...查看一个示例,例如JavaScriptImplicitClient ,该示例使用oidc-client-js库使用隐式流程检索令牌。 The token is stored in the browser which is accessible using JavaScript and there by open to XSS attacks. 令牌存储在浏览器中,可以使用JavaScript进行访问,并且可以通过XSS攻击进行访问。 In order to avoid that, suggestions indicates storing the token in a cookie and then setup a mechanism to prevent CSRF attacks. 为了避免这种情况,建议指示将令牌存储在cookie中,然后设置一种机制来防止CSRF攻击。
Seems simple, but what sets that cookie? 看起来很简单,但是是什么设置了该Cookie?
Is it the IdSvr?
是IdSvr吗? Doesn't make sense since it's the API that needs the cookie. 没道理,因为是需要Cookie的API。 Is it the API?
是API吗? During Implicit Flow login, are the user then redirected to the API which sets up the session and then redirects the user back to the SPA with a Set-Cookie header? 在隐式流登录过程中,是否将用户重定向到设置会话的API,然后使用Set-Cookie标头将用户重定向回SPA? Then the cookie will be present to the API on subsequent requests. 然后,该Cookie将在后续请求中呈现给API。 Third solution?
第三个解决方案? Some is mentioning creating a second 'API' that proxies requests to the 'real' API, but sets the auth header. 有人提到创建第二个“ API”来代理对“真实” API的请求,但设置了auth标头。
Do you have any samples of such a setup, or can you maybe provide some hints about how you'd do it? 您是否有这种设置的示例,或者是否可以提供一些有关如何进行设置的提示?
1 个解决方案
解决方案1
1 已采纳 2016-12-16 17:20:58
Personally, most of the times the avoidance of Web Storage for tokens due to XSS seems to be exacerbated a bit. 就个人而言,在大多数情况下,由于XSS而避免使用Web存储令牌的情况似乎有所加剧。 There is one important question, if your application is vulnerable to XSS, will the impact of this vulnerability be significantly increased because you also leaked tokens or you already got totally pwned even if you didn't store tokens there and you're in the same type of trouble. 有一个重要的问题,如果您的应用程序容易受到XSS的攻击,此漏洞的影响是否会显着增加,因为您还泄漏了令牌,或者即使您没有在其中存储令牌也已经完全被伪装了。麻烦的类型。
I made a comparison of the pros and cons of a few approaches to store access tokens in web browser application which you can check in this answer to a related question . 我对几种将访问令牌存储在Web浏览器应用程序中的方法的利弊进行了比较,您可以在此答案中找到相关问题 。
In the end each case ends up having their own specifics which may tip the balance between one approach versus the other (cookies or web storage). 最后,每种情况最终都有自己的详细信息,这可能会在一种方法与另一种方法(cookie或Web存储)之间取得平衡。 Just don't ignore any option from the start and look at all of them based on your requirements. 只是不要一开始就忽略任何选项,而是根据您的要求查看所有选项。
I bet that there are implementations out there that store them in HTTP-Only cookies to avoid the XSS issue with Web Storage and then end-up using a CSRF mitigation strategy that is vulnerable in the face of XSS . 我敢打赌,那里有一些实现将它们存储在仅HTTP的cookie中,以避免Web Storage出现XSS问题, 然后最终使用CSRF缓解策略来应对,该策略在XSS面前很容易受到攻击 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.