Skip to content
This repository has been archived by the owner. It is now read-only.

Where can I store an access token and refresh token on client side? #2039

Closed
Jenanek opened this issue Oct 18, 2015 · 18 comments

Comments

@Jenanek
Copy link

commented Oct 18, 2015

Hello,

I've tried to use the IdentityServer3 in my SPA application.

I need help where can I store an access token on client.

Is secure solution to store this token in Cookies or HTML5 Web Storage?

Thank you.
J.

@brockallen

This comment has been minimized.

Copy link
Member

commented Oct 18, 2015

HTML5's sessionStorage is a good place

@Jenanek

This comment has been minimized.

Copy link
Author

commented Oct 18, 2015

When I need remember the refresh token after close the browser is secure work with localStorage too?
Thank you.
J.

@brockallen

This comment has been minimized.

Copy link
Member

commented Oct 18, 2015

You can put that into localStorage, sure. But you might want your user to login each time the start the browser, no?

@Jenanek

This comment has been minimized.

Copy link
Author

commented Oct 18, 2015

I want to login onetime obtain an access token and refresh token both save into probable localStorage and then after close browser and again open check localstorage to use refresh token for obtain new access token without repeatedly login. Is it correct scenario?
Thank you.

@brockallen

This comment has been minimized.

Copy link
Member

commented Oct 18, 2015

Also, refresh tokens aren't designed for JS based clients. I'd suggest using a long-lived reference token for you JS based apps.

@brockallen brockallen added the question label Oct 18, 2015

@Jenanek

This comment has been minimized.

Copy link
Author

commented Oct 18, 2015

You recommend don't use refresh token in SPA? What does mean with long-lived reference token? Instead of refresh token I have to redirect to login or how can I renew access token without refresh token without login?
Thank you.

@brockallen

This comment has been minimized.

Copy link
Member

commented Oct 18, 2015

Perhaps watch this to get a better idea on how to work with JS based apps: http://brockallen.com/2015/06/19/demos-ndc-oslo-2015/

@Jenanek

This comment has been minimized.

Copy link
Author

commented Oct 18, 2015

Thank you for videos. Very nice presentation.

I have started to studying library: oidc-token-manager.js and I have found flag in configuration - silent_renew and silent url.
When I set silent_renew to true and I want to call the API via ajax and then get the error 401 - how can I renew this expired token?
How does renew attribute in configuration work?

Thank you.
J.

@Davidsual

This comment has been minimized.

Copy link

commented Oct 19, 2015

Another approach is... you can store Access Token / Refresh Token in a cookie with HTTPS-Enable = TRUE, so client cannot manipulate it. Then you write an OwinMiddleware that read the cookie and add access token in the request.
I used this approach because LocalStorage or SessionStorage are vulnerable to XSS attack.

On the other hand cookie is not mobile friendly..so if the client is mobile I do not see any harm to store tokens on mobile itself.

@georgeonofrei

This comment has been minimized.

Copy link

commented Nov 25, 2016

storing in cookies opens the door to CSRF

@brettpostin

This comment has been minimized.

Copy link

commented Mar 21, 2017

Storing in localStorage = susceptible to xss
Storing in cookie = susceptible to csrf

The best option is to protect against both as described here.

Store your tokens in http-only cookies and use a suitable targeted csrf defence as suggested here.

@leastprivilege

This comment has been minimized.

Copy link
Member

commented Mar 21, 2017

@brockallen

This comment has been minimized.

Copy link
Member

commented Mar 21, 2017

Store your tokens in http-only cookies

And now your server will have access to the access token? What if you're using a CDN -- do you want your user's tokens exposed to a third party?

@brettpostin

This comment has been minimized.

Copy link

commented Mar 21, 2017

HTML5's sessionStorage is a good place

This seems to contradict the advice given by owasp ...

Do not store session identifiers in local storage as the data is always accesible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

... and others?

Never store sensitive data using Web Storage: Web Storage is not secure storage. It is not “more secure” than cookies because it isn’t transmitted over the wire. It is not encrypted. There is no Secure or HTTP only flag so this is not a place to keep session or other security tokens.

Is this advice somehow wrong or outdated?

@brockallen

This comment has been minimized.

Copy link
Member

commented Mar 21, 2017

HTML5's sessionStorage is a good place
This seems to contradict the advice given by owasp ...

Sure, but you're building a SPA. This means you need CSP. OWASP needs to be updated -- you can tell their CSP coverage there is minimal. IMO they should mandate CSP, which nullifies the XSS concern. And I think my comment about putting the access token in a cookie is just as valid for the CDN scenario.

So don't blindly follow their advice. Don't blindly follow my advice. Think about your threats and think about what your scenarios are. And if you're doing a SPA, do your best -- that's one of the most hostile scenarios you could write code for. But of course management won't care -- SPAs are what everyone thinks you need to build these days.

@brettpostin

This comment has been minimized.

Copy link

commented Mar 22, 2017

Thanks for the clarification.

@algaly

This comment has been minimized.

Copy link

commented Nov 1, 2017

can any one give some words about google auth when using googleapis npmjs package ?
oauth2Client.setCredentials(tokens); google.options({ auth: oauth2Client });
why do i need to set creds to this object where i supose to use the access_token from client ?
and how do my http get request should look like ?

thanks

@roblapp

This comment has been minimized.

Copy link

commented Nov 20, 2017

Is it OK to store an id_token in plain text in an http only cookie as long as the server provides CSP headers?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
8 participants
You can’t perform that action at this time.