stackoom
  简体   繁体   中英

Browser applications and auth tokens again

 原文  2016-12-14 20:48:41       oauth/ single-page-application/ access-token/ identityserver3/ identityserver4

Question

I've been reviewing how we should handle OAuth authentication in our browser application (SPA), and there's a whole bunch of articles out there that makes it all really confusing... I'm really missing something concrete and best practice guidance for a very simple setup.

We have this ASP.NET Web API 2 that's protected using tokens issued by IdSvr3. So far so good. Works with native clients and server apps.

Now to the browser stuff... Looking at a sample such as JavaScriptImplicitClient which uses the oidc-client-js library to retrieve tokens using the implicit flow. The token is stored in the browser which is accessible using JavaScript and there by open to XSS attacks. In order to avoid that, suggestions indicates storing the token in a cookie and then setup a mechanism to prevent CSRF attacks.

Seems simple, but what sets that cookie?

  • Is it the IdSvr? Doesn't make sense since it's the API that needs the cookie.

  • Is it the API? During Implicit Flow login, are the user then redirected to the API which sets up the session and then redirects the user back to the SPA with a Set-Cookie header? Then the cookie will be present to the API on subsequent requests.

  • Third solution? Some is mentioning creating a second 'API' that proxies requests to the 'real' API, but sets the auth header.

Do you have any samples of such a setup, or can you maybe provide some hints about how you'd do it?

1 answers

solution1
 1 ACCPTED  2016-12-16 17:20:58

Personally, most of the times the avoidance of Web Storage for tokens due to XSS seems to be exacerbated a bit. There is one important question, if your application is vulnerable to XSS, will the impact of this vulnerability be significantly increased because you also leaked tokens or you already got totally pwned even if you didn't store tokens there and you're in the same type of trouble.

I made a comparison of the pros and cons of a few approaches to store access tokens in web browser application which you can check in this answer to a related question .

In the end each case ends up having their own specifics which may tip the balance between one approach versus the other (cookies or web storage). Just don't ignore any option from the start and look at all of them based on your requirements.

I bet that there are implementations out there that store them in HTTP-Only cookies to avoid the XSS issue with Web Storage and then end-up using a CSRF mitigation strategy that is vulnerable in the face of XSS .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Storing O-Auth Tokens Browser and Webserver api authentication tokens OpenIddict, after restarting auth server the tokens are invalidated HMAC Auth Approach in WebAPI / Web Applications Use of Window.postMessage to send auth tokens to embedded apps Can Google Account auth tokens be shared between services? Security and best practices for auth w/ refresh & access tokens OAuth 2.0 How to invalidate granted auth tokens using password grant What is the difference between access tokens and auth_codes in OAuth 2 Node.js - How to use access / auth tokens?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM