I use the OAuth 2.0 resource owner password credentials in AngularJS SPA. There are several articles ( here , here .) And the answer to this question , which explain that we should not store update tokens on the web client (LocalStorage), but store them in encrypted form in the HttpOnly Cookie and use the proxy API, where we We implement decryption of the refreh token to redirect it to the security token service.
Most articles have a hint that we should take care of CSRF using one of the common protection mechanisms. I am wondering what is the best solution for a single page application.
The Angular $ http link explains the default mechanism of how we should contrast CSRF: the server must set a cookie called XSRF-TOKEN . This cookie must be Javascript readable, so we can set the X-XSRF-TOKEN HTTP X-XSRF-TOKEN in our requests. Is this mechanism sufficient to protect the reflex scenario?
Launch the application for the first time. There is no access to the token or cookie, we must log in with a username and password. api/login gives us the access token that we store in memory and sets two cookies. HttpOnly refreh token cookie and XSRF-TOKEN JS-readable cookie.
The access token is expiring. The api/token call checks the XSRF-TOKEN and uses the cookie token to return a new access token; sets a new update cookie
Reboot the application from AppCache . There is no access token in memory except cookies. Use api/token ...
The bad guy wants to steal our refreh cookie. The prepared page makes an api/token request with our cookies, but not the X-XSRF-TOKEN HTTP header.
Any serious security concerns?
hansmaad Jun 03 '15 at 12:12 2015-06-03 12:12
source share