stackoom
  简体   繁体   中英

How to protect the refresh token from hacker

 原文  2018-12-23 05:03:47       security/ spring-security/ oauth-2.0/ refresh-token

Question

I googled a lot on how to protect the refresh_token from a hacker because it will be stored somewhere in browser's local-storage / cookie , so a hacker can easily steal those tokens and I couldn't able to find a proper answer so I came here.

I understand that access_token will expire in less-time and we should use refresh_token to get a new access_token . But if the hackers steal the refresh_token means, he can stay as a login user for a long time, right?

Some people are saying, you can protect it using client_id and client_secret , but the hacker is going to access the endpoint of the API, which has the client_id and client_secret . So again, a hacker can get a new access_token easily.

So I am finding no way to protect the hacker from getting the new access_token .

Can someone able to guide me here, on how I protect the hacker from getting access to refresh token from browser's local-storage / cookie ?

2 answers

solution1
 1  2018-12-24 09:54:45

From the context of your explanation, you are talking about a browser based application. If this application is one that does not have a backend, then you do not have a secure place to store your long-lived tokens or client secrets.

From OAuth 2.0 perspective, these are called public clients . Thus protocol do not allow them to have a client secret. So they have a client ID and a redirect URL for client authentication (client identification). Implicit flow is one key flow suitable for SPA that runs on browser. By specification, they will not get a refresh token. Reason is their inability to protect such secrets.

But if you have a backend and have the ability to correlate browser session and backend storage, you can use a flow that gives your a refresh token and store it securely. But this require your application architecture to support such (ex:- Browser session and backend storage).

Also, rather than making end user to login every time, you may use the identity server's logged in state to skip log in. This too will rely on identity server's browser cookie and it's life time. For example identity server may have a browser session valid for 24hours. So your client will not see log in page when accessed thew application within the time.

solution2
 0  2018-12-24 07:21:07

您可以尝试使用此库Secure-ls来保护本地存储

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do we protect our Wordpress from hacker? Is there a way for a hacker to abuse my refresh token? PHP & Javascript : How to protect web hacker for post and get method? How to prevent a hacker accessing user session from outside? How can a server know the request is coming from client, not an eavesdropping hacker? How does a ssl certificate prevent a hacker from cloning How to prevent a hacker from reading/writing on firebase database JWT & OAuth2 - Does the server store the token? & How are they Secure/Hacker Safe? How refresh token works (with jwt) Token rotation refresh implementation how to persist token?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM