I've been reading Aaron Parecki's draft of browser-based apps' (meaning SPAs like those developed with React or Angular) authentication best practices with OAuth 2 as well as OWASP security guidelines, and it left me really confused: <ol> <li>The draft of the RFC mentions rotating refresh tokens. Now how would I do that while adhering to stateless constraint of REST? Do I include some digest of a random string in the cookie and the refresh token as well and check if they are equal?</li> <li>What is the correct way (or rather, some of the more secure ways) of storing refresh tokens in the browser? I've checked okta's JS auth library, and it uses <code>localStorage</code> by default, which OWASP guidelines recommend against. Does it have some kind of extra protection? Should I put some extra digest in it and also put it in a cookie and match them?</li> <li>OWASP recommends session IDs should be completely opaque to the client, but if we use JWT, doesn't it violate this principle? Does this mean I should always encrypt my JWTs with a symmetric cipher?</li> </ol> Some references: <ul> <li>https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-04#section-4</li> <li>https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md</li> <li>https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md</li> <li>https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md</li> </ul>

TRADITIONAL SPA FLOW In the traditional SPA flow it was standard to use iframes to silently renew tokens. Meanwhile access tokens were best stored only in memory and should also be short lived. There were still threats of capturing tokens in transit, some of which are explored in this post of mine. 2021 UPDATE There are two big changes to browswrs that are related to SPA token refresh: <ul> <li> Browsers drop third party cookies aggressively, meaning that traditional SPA token refresh no longer work reliably (eg in the Safari browser) </li> <li> Browser cookies security has become stronger via <code>SameSite=strict</code> cookies, and concerns about XSS threats (video) have increased </li> </ul> BACK END FOR FRONT END So it is now recommended to store refresh tokens in HTTP only encrypted <code>SameSite=strict</code> cookies. This is best done in an API driven manner, to avoid impacting the web architecture. See this blog post for some up-to-date best practices and links to resources including a React code example.

Options for token storage and refresh in SPAs

Tags:

reactjs

angular

oauth-2.0

jwt

owasp

I've been reading Aaron Parecki's draft of browser-based apps' (meaning SPAs like those developed with React or Angular) authentication best practices with OAuth 2 as well as OWASP security guidelines, and it left me really confused:

The draft of the RFC mentions rotating refresh tokens. Now how would I do that while adhering to stateless constraint of REST? Do I include some digest of a random string in the cookie and the refresh token as well and check if they are equal?
What is the correct way (or rather, some of the more secure ways) of storing refresh tokens in the browser? I've checked okta's JS auth library, and it uses localStorage by default, which OWASP guidelines recommend against. Does it have some kind of extra protection? Should I put some extra digest in it and also put it in a cookie and match them?
OWASP recommends session IDs should be completely opaque to the client, but if we use JWT, doesn't it violate this principle? Does this mean I should always encrypt my JWTs with a symmetric cipher?

Some references:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-04#section-4
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md

371

asked Jan 21 '20 22:01

nromaniv

1 Answers

TRADITIONAL SPA FLOW

In the traditional SPA flow it was standard to use iframes to silently renew tokens.

Meanwhile access tokens were best stored only in memory and should also be short lived. There were still threats of capturing tokens in transit, some of which are explored in this post of mine.

2021 UPDATE

There are two big changes to browswrs that are related to SPA token refresh:

Browsers drop third party cookies aggressively, meaning that traditional SPA token refresh no longer work reliably (eg in the Safari browser)
Browser cookies security has become stronger via SameSite=strict cookies, and concerns about XSS threats (video) have increased

BACK END FOR FRONT END

So it is now recommended to store refresh tokens in HTTP only encrypted SameSite=strict cookies. This is best done in an API driven manner, to avoid impacting the web architecture. See this blog post for some up-to-date best practices and links to resources including a React code example.

answered Oct 27 '22 21:10

Gary Archer

Related questions
                            
                                No NgModule metadata found for 'AppModule' after upgrade from Angular 5 to Angular 7
                            
                                npm error - Cannot find module './selenium-webdriver/lib/input'
                            
                                Angular Universal does not work with Angular Google Maps
                            
                                ion-slides pagination bullet overlap the slides content [Ionic 4]
                            
                                RxJs - Jasmine marbles forkJoin operator test
                            
                                Can set some type for FormControl value?
                            
                                "Error: No base href set." after upgrade to Angular 8
                            
                                Error in d3.js after upgrading to Angular 8
                            
                                possible to add crossorigin attribute to script tags generated by angular cli?
                            
                                Angular Universal TTFB is very slow
                            
                                ERROR TypeError: You provided 'undefined' where a stream was expected. You can provide an Observable, Promise, Array, or Iterable in Angular Services
                            
                                How to add static content to my horizontal angular mat-table?
                            
                                How to solve Argument of type 'boolean' is not assignable to parameter of type 'string' error in setAttribute() function
                            
                                NullInjectorError: No provider for ElementRef
                            
                                How to bind checkbox to string value in Angular7?
                            
                                Angular Material Flat Tree Parent Children Graphical Representaion
                            
                                Why does lazy loading angular modules create extra chunk default~customer-customer-module~order-order-module?
                            
                                The new command requires to be run outside of a project, but a project definition was found at
                            
                                In Angular 7 how to load CSS of Arabic language (RTL) from English language (LTR)
                            
                                FirebaseError: Function DocumentReference.set() called with invalid data. Unsupported field value: undefined (found in field nombre)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With