[keycloak-user] Keycloak client adapter and OWASP recommendations
Luca Cherubin
luca.cherubin at gmail.com
Wed Sep 18 04:00:11 EDT 2019
Hello,
I was checking the OWASP recommendations on how to store a JWT token in the
client
<https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-storage-on-client-side>
and
they basically suggest this approach:
1. Store the token using the browser *sessionStorage* container.
2. Add it as a *Bearer* with JavaScript when calling services.
3. Add fingerprint
<https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking>
information
to the token.
For the fingerprint, here is how they suggest to implement that:
[The fingerprint is...]
- A random string that will be generated during the authentication phase
and will be included into the token and also send to the client as an
hardened cookie (flags: HttpOnly + Secure
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>
+ SameSite
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies>
+ cookie prefixes
<https://googlechrome.github.io/samples/cookie-prefixes/>).
- A SHA256 hash of the random string will be stored in the token
(instead of the raw value) in order to prevent that any XSS issue allow the
attacker to read the random string value and set the expected cookie.
I would like to understand if this kind of approach is doable using
keycloak and if it would make sense to implement this anyway.
For what concern storing the token, would create a single Keycloak instance
on the page and share it as a global object a totally bad practice? If it
is what approach should I use?
Thank
Luca
More information about the keycloak-user
mailing list