[keycloak-user] OpenID Connect: Is storing access token in browser sercure?

Olivier Rivat orivat at janua.fr
Fri Mar 22 05:18:14 EDT 2019


Hi,

one of the security advantage of  Oauth2/openID protocol  RFC 
6749/openid connect  is  to avoid having tokens (authorisation code/ 
access_token) in the browser.
With authorisation code flow, your tokens are never exposed at browser 
level.

Even with https, if your tokens get stolen, anyone who can get hold of 
your tokens can have access to everything.



Visit also our web site for more info:
http://www.janua.fr/tag/technical-blog/

Don't hesitate to come back to us if you need any further help


Regards,

Olivier Rivat


Le 22/03/2019 à 09:44, Timurhan Sungur a écrit :
> We are communicating over HTTPS as stated in the link you have sent. Shortening the lifespan of the access token is not an option and does not make sense in our use case.
>
> Regards,
>
> Timur
>
> Sent from my mobile device.
>
>> Am 22.03.2019 um 09:26 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>
>> Because your access token could be compromised and could be used to call services that can verify offline this token. https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens
>>
>>> On Fri, Mar 22, 2019 at 9:03 AM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>> Thank you for your answer. What is the reason behind keeping it short? In my use case, it is valid for 2 hours and I will store it somewhere during that period.
>>>
>>> Regards,
>>>
>>> Timur
>>>
>>> Sent from my mobile device.
>>>
>>>> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>>>
>>>> I'm not sure to understand you usecase and anyway the access token lifespan should always be really short (it's 1 minute by default in Keycloak) so I don't really see the point of storing it in the local storage.
>>>>
>>>>> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>>>>   <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
>>>>> Hi,
>>>>>
>>>>> I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
>>>>> In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.
>>>>>
>>>>> Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.
>>>>>
>>>>> I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.
>>>>>
>>>>> My questions:
>>>>>
>>>>> Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
>>>>> Is there a way to mitigate the security threat and still store it in browser?
>>>>> Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
>>>>> What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
>>>>> Thank you for your assistance in advance!
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Timur
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>




More information about the keycloak-user mailing list