Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to deal with access token and refresh token in client side

I am creating a website using AngularJS client side and communicating in REST with a backend (in an other domain).

To authenticate every calls, I pass a token through the header of each HTTPS call : "Authorization : Bearer access_tokenXXXXXX"

When the token expires, I am able to create a new one thanks to a refresh_token.

The access_token and the refresh_token need to be stored client side, because the browser needs to have it in clear text before setting it in the HTTP request header.

My questions are :

Question 1 : What is the recommanded way to store the access_token and the refresh_token to make it available to the browser so it is relatively secure? (I have quiet sensitive data like personal pictures)

Question 2 : What are the recommanded lifetime (= time before it is not usable) for access_token AND refresh_token? (FYI I refresh the token after a 401 response, and my app is a social app)

Question 3 : Do I have an architactural issue? Should I change it in order not to have JavaScript using token at all, and use HTTP-ONLY cookies?

Thanks :)

Geoffrey

UPDATE :

I finally chosed to go for HTTP-ONLY cookies. I am using Django Oauth Toolkit so Django is waiting the authorization in the HTTP header, and not in a cookie.

To solve that, I am using a Middleware that gather the token of the cookie and set it in the header. It should also allow me to re-authenticate the user (with the refresh token) before the access_token expires.

like image 221
Geoffrey D Avatar asked Dec 16 '15 14:12

Geoffrey D


People also ask

Can I get refresh token with access token?

To refresh your access token as well as an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access and the refresh token.

Do you need client secret to refresh token?

For web-server based apps that can protect client secrets, you can configure the connected app to require client secrets. But for apps that can't protect client secrets, such as mobile apps or apps installed on a user's computer, you can omit the client secret during the refresh token flow.

Does client credentials have refresh token?

A refresh token is not returned for a client credentials grant. The client application uses the access token to request a resource o the resource server. The resource server checks with authorization server to make sure the access token is valid.


1 Answers

I think you're right in asking question 3. Definitely use HTTP-Only cookies, that's the safest type of browser storage.

As described in the links provided by smwikipedia, using HTTP-Only cookies helps defend against XSS. To also defend against CSRF you should check out this AngularJS mechanism.

The actual format of the cookies can be JWT or anything else.

The answer to question 2 really depends on your users' sweet spot in trading off between tight security and convenience. You know your users best so it's really your own judgement call.

like image 108
orange77 Avatar answered Sep 19 '22 14:09

orange77