0

Scenario

Suppose a hacker using a single page webapp https://example.com?secure=maybe has authenticated and obtained a OpenID Connect token that is used to access micro services.

The hacker manages to fish these credentials out of the application. (Follow up question on that here)

The hacker creates another application running on localhost that loads the credentials obtained. The hacker also points localhost to https://example.com in /etc/hosts such that now opening the address https://example.com runs the hackers web application instead of the real one.

Question

Can the hackers application now use the OpenID Connect token to access the same microservices that the original application uses it for?

The obvious answer seems like no because https://example.com still resolves to the localhost ip address, and that's the only address that the browser knows to talk to, but just wanted to make sure that's the case by asking...

Ole
  • 41,793
  • 59
  • 191
  • 359
  • A hacker cannot fake `https://example.com` because they won't have a trusted certificate for that domain and `localhost` meaning SSL wont work. But if the hacker had the token yes they would have access although there will be a TTL and could also be signed out when the user logs back in. – Derrops Apr 09 '18 at 04:10
  • I guess a better way of putting it is is it possible to recreate the browser environment / context that the REST requests that use the tokens are sent from. And if so are micro services that serve SPAs that use OpenID Connect tokens really secure? – Ole Apr 09 '18 at 05:19
  • Perhaps the thing that provides the security is the fact that there's no way to see the content of a single page application variable that the browser holds. For example suppose we do "let token = REST.callSecurity()" ... can someone read the token using browser developer tooling or some other means? Is there a back door that allows them to read the content of token? – Ole Apr 09 '18 at 05:25
  • Asked follow up question here: https://stackoverflow.com/questions/49726180/is-it-possible-to-see-the-values-of-browser-based-javascript-variables-in-a-web – Ole Apr 09 '18 at 05:33
  • It's entirely possible there are ways in which the browser is compromised and we just don't know it yet. Hopefully vulnerabilities are always found and patched after some amount of time. For applications where security is highly important consider MFA or another level such as email as I have suggested in your original question. – Derrops Apr 09 '18 at 06:19
  • Note I didn't answer as I believe this question is probably a duplicate. – Derrops Apr 09 '18 at 06:19

1 Answers1

1

You can and perhaps should use the Authorization Code Grant with SPA apps along with the (Since there is no client Secret) Proof Key for Code Exchange by OAuth Public Clients.

Community
  • 1
  • 1
jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • True - The more I think about it that's probably best - Just use OpenID Connect to identify the user and then keep any user authorizations tied to a different token that is only server side accessible. – Ole Apr 09 '18 at 13:23