Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Options for token storage and refresh in SPAs

Tags:

reactjs

angular

oauth-2.0

jwt

owasp

I've been reading Aaron Parecki's draft of browser-based apps' (meaning SPAs like those developed with React or Angular) authentication best practices with OAuth 2 as well as OWASP security guidelines, and it left me really confused:

  1. The draft of the RFC mentions rotating refresh tokens. Now how would I do that while adhering to stateless constraint of REST? Do I include some digest of a random string in the cookie and the refresh token as well and check if they are equal?
  2. What is the correct way (or rather, some of the more secure ways) of storing refresh tokens in the browser? I've checked okta's JS auth library, and it uses localStorage by default, which OWASP guidelines recommend against. Does it have some kind of extra protection? Should I put some extra digest in it and also put it in a cookie and match them?
  3. OWASP recommends session IDs should be completely opaque to the client, but if we use JWT, doesn't it violate this principle? Does this mean I should always encrypt my JWTs with a symmetric cipher?

Some references:

  • https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-04#section-4
  • https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md
  • https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md
  • https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md
like image 371
nromaniv Avatar asked Jan 21 '20 22:01

nromaniv

People also ask

Where should I store my tokens?

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.

What is the best way to store refresh token?

The authorization server can contain this risk by detecting refresh token reuse using refresh token rotation. If your application uses refresh token rotation, it can now store it in local storage or browser memory. You can use a service like Auth0 that supports token rotation.

Where is refresh token SPA stored?

Securely store tokens In a web browser, there are multiple options to store tokens. You can store them in cookies or you can store them in HTML5 storage(sessionStorage or localStorage) or you can save them in the browser memory.

Can database refresh token be stored?

Store refresh tokens in a secure location, such as a password-protected file system or an encrypted database. Limit access to users who need the tokens to make API calls. If you believe that a refresh token has been accessed by an unauthorized user, delete it and create a new one.

1 Answers

TRADITIONAL SPA FLOW

In the traditional SPA flow it was standard to use iframes to silently renew tokens.

Meanwhile access tokens were best stored only in memory and should also be short lived. There were still threats of capturing tokens in transit, some of which are explored in this post of mine.

2021 UPDATE

There are two big changes to browswrs that are related to SPA token refresh:

  • Browsers drop third party cookies aggressively, meaning that traditional SPA token refresh no longer work reliably (eg in the Safari browser)

  • Browser cookies security has become stronger via SameSite=strict cookies, and concerns about XSS threats (video) have increased

BACK END FOR FRONT END

So it is now recommended to store refresh tokens in HTTP only encrypted SameSite=strict cookies. This is best done in an API driven manner, to avoid impacting the web architecture. See this blog post for some up-to-date best practices and links to resources including a React code example.

like image 71
Gary Archer Avatar answered Oct 27 '22 21:10

Gary Archer
Sign in to Comment

Related questions

No NgModule metadata found for 'AppModule' after upgrade from Angular 5 to Angular 7
npm error - Cannot find module './selenium-webdriver/lib/input'
Angular Universal does not work with Angular Google Maps
ion-slides pagination bullet overlap the slides content [Ionic 4]
RxJs - Jasmine marbles forkJoin operator test
Can set some type for FormControl value?
"Error: No base href set." after upgrade to Angular 8
Error in d3.js after upgrading to Angular 8
possible to add crossorigin attribute to script tags generated by angular cli?
Angular Universal TTFB is very slow
ERROR TypeError: You provided 'undefined' where a stream was expected. You can provide an Observable, Promise, Array, or Iterable in Angular Services
How to add static content to my horizontal angular mat-table?
How to solve Argument of type 'boolean' is not assignable to parameter of type 'string' error in setAttribute() function
NullInjectorError: No provider for ElementRef
How to bind checkbox to string value in Angular7?
Angular Material Flat Tree Parent Children Graphical Representaion
Why does lazy loading angular modules create extra chunk default~customer-customer-module~order-order-module?
The new command requires to be run outside of a project, but a project definition was found at
In Angular 7 how to load CSS of Arabic language (RTL) from English language (LTR)
FirebaseError: Function DocumentReference.set() called with invalid data. Unsupported field value: undefined (found in field nombre)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!