2:40 p.m.
<https://security.stackexchange.com/questions/205837/openid-connect-is-sto...
Hi,
I'm currently in the phase of integrating my web-site to OpenID Connect provided by
KeyCloak. The web-site is not a single page application. However, different parts of the
application are delivered by different web services.
In each site delivered by these different web services, the user can call a standard REST
API. This REST API can only be accessed with an access token received from KeyCloak. Thus,
the user needs to log-in on the web-site using authorization code flow of OpenId Connect
<https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak
<https://www.keycloak.org/> and use the access token given by the token endpoint.
This request with the access token can be either sent by browser or by one of the back-end
services delivering the current web-site. Thus, we can either do a a client-side
integration or server-side integration with the REST API.
Unfortunately, the server-side integration is not that feasible due to the complex
structure of back-end systems. I cannot even integrate most of web services with KeyCloak.
Thus, I could store the access token in the browser in local storage
<https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to
the REST API directly from browser. However, I'm still unsure if storing the access
token in browser will bring a security vulnerability.
I could not see any official statement regarding this in the standards or in the KeyCloak
documentation, so far. I have seen applications both storing it in the back-end and
storing in the browser and I still can't tell the exact security benefit of using a
session over an access token when we store it in the back-end. I do not intend to save
refresh token in the browser and use only authorization code flow with the help of a
back-end service.
My questions:
Is it a security vulnerability to store the access token in browser? E.g., in local
storage, in a cookie with HttpOnly, or both of them?
Is there a way to mitigate the security threat and still store it in browser?
Is there a best practice or guideline for storing the access tokens of OpenID Connect that
you could refer to?
What is the difference from the security perspective between storing the access token and
session, if we can use the session to access the API over an intermediary service?
Thank you for your assistance in advance!
Regards,
Timur