Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why can't I store an oauth refresh token in the browser?

Tags:

security

authentication

web-applications

refresh-token

oauth2

I want to store an oauth refresh token in the browser. The reason I want to store it there is so that the app can refresh the access token and let the user continue their session uninterrupted. I also want to eliminate the need for any kind of cache on the server to store the tokens, thus making it stateful.

I'm told that storing the refresh token in the browser is wrong because it's insecure.

I think it's OK because:

  • The tokens would be stored in httpOnly, secure session cookies so they shouldn't be vulnerable to XSS or man in the middle attacks and they will be discarded when the user closes their session.
  • All communication to the server is done via HTTPS
  • The refresh token can be invalidated if suspicious activity is detected
  • Most importantly you can't use the refresh token unless you know the client secret which would be known only by the server.

Am I wrong to think it should be OK? Please explain why!

like image 285
Mark Stickley Avatar asked Oct 28 '16 16:10

Mark Stickley

People also ask

Where should I store the refresh token?

The authorization server can contain this risk by detecting refresh token reuse using refresh token rotation. If your application uses refresh token rotation, it can now store it in local storage or browser memory.

Can refresh token be stored in cookie?

Store your access token in memory, and store the refresh token in the cookie: Link to this section. Why is this safe from CSRF? Yes, a form submit to /refresh_token would work and a new access token will be returned, but the attacker can't read the response if they're using an HTML form.

How do I refresh OAuth access token?

To use the refresh token, make a POST request to the service's token endpoint with grant_type=refresh_token , and include the refresh token as well as the client credentials if required.

Where are OAuth tokens stored?

Most guidelines, while advising against storing access tokens in the session or local storage, recommend the use of session cookies. However, we can use session cookies only with the domain that sets the cookie. Another popular suggestion is to store access tokens in the browser's memory.

1 Answers

Storing the tokens in an httpOnly, secure cookie is probably the best you can achieve security-wise. The problem sometimes is that an httpOnly cookie is not good enough due to other (non-security) reasons as Javascript obviously does not have access (that's the point). So people sometimes want to store tokens in other browser stores like localStorage, or slightly better, in JavaScript objects, both of which are significantly less secure than an httpOnly cookie (but still may be good enough for some applications).

Storing the token in an httpOnly and secure cookie makes it pretty much equivalent to a session id, and its security will also be the same in this respect (obviously other aspects may be different).

like image 150
Gabor Lengyel Avatar answered Sep 29 '22 22:09

Gabor Lengyel
Sign in to Comment

Related questions

Is it possible to access RSA Secure Id programmatically for use in Test Automation?
Feature Flagging vs Authorization
LDAP JWT OAuth scheme explanation
Untrusted GPGPU code (OpenCL etc) - is it safe? What risks?
How to use Shiro for authenticating cookie based or facebook user?
What is the simplest secure way to authenticate users via AJAX?
InvalidKeyException: Only SecretKey is supported
Can I configure SMTP in IIS, so it relays to a remote SMTP server?
Encrypting cookies in PHP
Is explicitly clearing/zeroing sensitive variables after use sensible?
Send Public key(generated as seckeyref in iPhone) to server(in Java)
How to secure Intent data while sending it across applications
Is there a more secure way to store sensitive string in an Android project?
Authenticate and sign HTTP request
Tomcat Virtual Host to prevent Improper-Input-Handling attack
OAuth2 flow from resource server to another
Symmetric integer to integer encryption
Generating a unique *and* random URL in C#
HTML5 offline authentication
How to deny with 404 on nginx

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!