Using the authorization code grant without using cookies?

Question

I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal:

• OAuth2
• OpenID Connect
• SPA / Mobile Client
• JWT

Solution that has banking level security quality as the above component are concerned. So this is what seems to make sense.

• Use the Authorization Code Grant without using server side sessions and cookies since this OAuth flow is more secure than the implicit flow.
• Do not create server side sessions or cookies (Besides perhaps remember me cookies to identify whether the client has been authenticated before). This is better for scaling and overall simplicity.
• Return a JWT / OpenID connect token to the client so that the client can use it to make API requests and for making authorization decisions within the client. (I think this is what the OAuth2 hybrid Authorization Code Grant / Implicit flow is?). Store the JWT / OpenID connect token in the clients session storage.
• Have short lived JWT tokens and also offer up refresh token until the user logs out. The client would automatically receive refresh tokens unless it times out / the client side session expires or the user logs out. The refresh tokens would be fetched and served by the edge server that / OAuth client that the SPA / mobile app is talking to.
• On logout (Or timeout), remove the token from browser session storage.

Is any of this crazy / does it sound reasonable? It skips over invalidating tokens, but it seems ok to do this if the tokens have very short life times and the client can get refresh tokens. I'd like to implement this using Spring-Boot / Spring Security and Angular 4/5 and I'm wondering if I missed anything obvious or perhaps there is an even simpler approach that does not sacrifice/lower security?

Also do you think this would pass "Banking" level security standards check?

Answer 1

Update : Implicit flow is no longer recommended. It is advicec to use authorization code flow with PKCE even for SPAs

---

Original answer

Few things to clear out,

1. You have to use implicit flow for browser based applications

This is becuase such applications cannot be made confidential and cannot protect a refresh token it recieves. OAuth2.0 RFC too explain about the flow.

Also, according to OAuth2.0 Refresh token definition, Refresh tokens are sort of a credential.

Refresh tokens are credentials used to obtain access tokens

Section 10.4 of RFC6749 explains more about refresh token security, thus explaining the need to use implicit flow for broweser based applications.

2. Implicit flow does not send a refresh token

From OAuth2.0 RFC

When using the implicit grant type flow, a refresh token is not returned, which requires repeating the authorization process once the access token expires.

So when the access token expires, you have to go through the same flow to take a new token set

3. ID tokens usage

Must vlaidate according to specficiation. If the id token is valid, user is authenticated

4. API calls

Two options, either use access token or user ID token.

Usage of access token to communicate with API endpoints is common. It is the intended usage of the access token. From the API endpoint, access token can be vlaidated using introspection endpoint (if the identity provider support one).

But ID token JWT can also be used as a bearer token. For this to be done, API endpoint will need a warapper to validate the ID token. This blog/document contains some good points to consider.