0

I want to use something like OAuth Implicit Grant to give the client the access token so that work can be done on the client rather than the server, thus saving me costs.

I don't want to use Implicit exactly. Instead, I want to use Authorization Grant. My server will be first to get the access token, so the browser won't store the token in the history, or logs. The server will send the token to the client via web socket. The client will now have the token in it's javascript runtime.

I am wondering if it is possible for anyone to steal the token. The client is on a trusted website, however, I am wondering if something like a Chrome extension can inspect javasceipt runtime and see the access token's value.

I also wondering if there are any other ways someone could get the access token out of the client's javascript runtime.

Croolsby
  • 1,416
  • 1
  • 14
  • 14
  • By "someone " you mean your user or 3rd party? – hindmost Jan 25 '19 at 08:03
  • 1
    Extensions can intercept everything sent by or received by a web site as they can hook XMLHttpRequest, fetch, jQuery, etc, including the variables accessible from the global window namespace ([examples](https://stackoverflow.com/a/9517879)). I think you can detect the tampering by checking the function code - the original one contains `[native code]`. – wOxxOm Jan 25 '19 at 08:20
  • Thank you wOxxOm, I think that alone is a deal breaker for me. The access token has no expiration (I don't have control over this), so there is any way for third party to see inside the client's javascript or communication, then it is too much risk. – Croolsby Jan 26 '19 at 02:02

1 Answers1

1

It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely).

If you are building a new SPA, you should consider implementing the new guidance based on authorization code with PKCE.

jwilleke
  • 10,467
  • 1
  • 30
  • 51