2

I find ensuring safety for OAuth with JS apps a̶ ̶p̶a̶i̶n̶ ̶i̶n̶ ̶t̶h̶e̶ ̶a̶.̶.̶.̶ very annoying :(

Let's imagine I am Alice, a legal user, using a JS single page app client of an OAuth server. I have logged in and received my tokens (access and refresh).

At some point, unfortunately, my still valid access token and the refresh token are retrieved by a malicious user, Bob (note that there is no reason only the refresh token could be retrieved since both are sent back by the OAuth server the same way).

Ok, so what I'm understanding from this question is that, well, that does not matter that much because evil Bob will only have a limited amount of time to do bad stuff, since the token has a short life.

Now let's assume the token has expired. In theory, all should be over for Bob.

But I do not understand what now prevents Bob to request a new token. What does Alice has that Bob does not so that only Alice can get a new access token?

Let's now think of slightly different client configuration: there is still a JS web app, but this time the actual OAuth client is a PHP backend the JS client makes requests to. This PHP back-end acts as a sort of proxy and, as any OAuth client, makes/forwards requests to the OAuth server.

In this case, the refresh token could have been kept secret by the back-end, and Bob would have only retrieved the access token. But in this case, again, except from the this now expired access token, that Bob do know, what data can Alice give the back-end so that it differentiates between her and Bob so that the refreshing process is only done for Alice?

Community
  • 1
  • 1
Silverspur
  • 891
  • 1
  • 12
  • 33

1 Answers1

3

For JavaScript applications (SPAs), you are supposed to use the implicit grant, which does not support refresh tokens. Basically, your users are redirected to the auth server, log in and get the access token. When the access token expires, they need to re-authenticate with the auth server.

Since you can't keep secrets in a JavaScript application, there's no client ID or secret:

The implicit grant type does not include client authentication, and
relies on the presence of the resource owner and the registration of
the redirection URI.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • 1
    Thanks. In my case (though I did not mention it in the question) my SPA and the OAuth server are on the same domain and by the same author. I thought Resource Owner Password Credentials would have been the way to go in such a case, since I would have liked to avoid redirections. But this seems complicated with an SPA. By the way how does Facebook to allow for staying connected that long from SPAs with short-life tokens? Some sort of automatic token renewal? – Silverspur Feb 09 '15 at 22:01