0

I've been reviewing how we should handle OAuth authentication in our browser application (SPA), and there's a whole bunch of articles out there that makes it all really confusing... I'm really missing something concrete and best practice guidance for a very simple setup.

We have this ASP.NET Web API 2 that's protected using tokens issued by IdSvr3. So far so good. Works with native clients and server apps.

Now to the browser stuff... Looking at a sample such as JavaScriptImplicitClient which uses the oidc-client-js library to retrieve tokens using the implicit flow. The token is stored in the browser which is accessible using JavaScript and there by open to XSS attacks. In order to avoid that, suggestions indicates storing the token in a cookie and then setup a mechanism to prevent CSRF attacks.

Seems simple, but what sets that cookie?

  • Is it the IdSvr? Doesn't make sense since it's the API that needs the cookie.

  • Is it the API? During Implicit Flow login, are the user then redirected to the API which sets up the session and then redirects the user back to the SPA with a Set-Cookie header? Then the cookie will be present to the API on subsequent requests.

  • Third solution? Some is mentioning creating a second 'API' that proxies requests to the 'real' API, but sets the auth header.

Do you have any samples of such a setup, or can you maybe provide some hints about how you'd do it?

Tommy Jakobsen
  • 2,323
  • 6
  • 39
  • 66

1 Answers1

1

Personally, most of the times the avoidance of Web Storage for tokens due to XSS seems to be exacerbated a bit. There is one important question, if your application is vulnerable to XSS, will the impact of this vulnerability be significantly increased because you also leaked tokens or you already got totally pwned even if you didn't store tokens there and you're in the same type of trouble.

I made a comparison of the pros and cons of a few approaches to store access tokens in web browser application which you can check in this answer to a related question.

In the end each case ends up having their own specifics which may tip the balance between one approach versus the other (cookies or web storage). Just don't ignore any option from the start and look at all of them based on your requirements.

I bet that there are implementations out there that store them in HTTP-Only cookies to avoid the XSS issue with Web Storage and then end-up using a CSRF mitigation strategy that is vulnerable in the face of XSS.

Community
  • 1
  • 1
João Angelo
  • 56,552
  • 12
  • 145
  • 147
  • Thank you very much for your comment. Your answer you linked to was very informative. You should turn that into a blog post. I've been looking for something that sums things up that clearly, but also concludes it with their opinion. – Tommy Jakobsen Dec 18 '16 at 19:13