[keycloak-user] OpenID Connect: Is storing access token in browser sercure?

Timurhan Sungur timurhan.s at gmail.com
Thu Mar 21 15:40:15 EDT 2019 

 <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
Hi,

I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.

Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.

I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.

My questions:

Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
Is there a way to mitigate the security threat and still store it in browser?
Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
Thank you for your assistance in advance!  


Regards,

Timur

More information about the keycloak-user mailing list