Token storage security #99
-
|
Our development team is considering using this library in our NextJs SPA. I have some questions regarding the security of using it. It is of my understanding that access token and refresh token are stored in localstorage and the PKCE code verifier is stored in session storage. Wouldn't this make the application vulnerable to XSS? If possible, could storing this in a httponly, secure cookie be a more secure option? Another concern is whether this pattern of authorizing a SPA is considered secure in general. Or whether the only really secure solution is doing the auth in a proxy API? https://stackoverflow.com/questions/67517436/best-practice-on-securing-code-verifier-in-pkce-enhanced-authorization-code-flow |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Okay, I'll agree that there might be an XSS-related issue in having them in browser storage, but only if the application is already XSS vulnerable. Having them stored there does not create the XSS-vulnerability. I'm sure @soofstad can elaborate and give clearer arguments for why this choice was made, but as far as I can see, LocalStorage is the recommended storage solution for OAuth2 PKCE. Two sources I found after a quick google search:
For the last one, the comment above disagrees with the one I linked, so I guess there is some debate on the subject. In short: If you have an XSS vulnerability, then your application is compromised anyways. |
Beta Was this translation helpful? Give feedback.
-
|
Regarding cookies as an alternative: See also this answer on SO regarding this issue, specifically the part below "Update On 16-Feb-2019", for a thorough description. I can also recommend having a look at the OWASP Cheatsheet series' Token Storage on Client Side and Token Sidejacking articles. |
Beta Was this translation helpful? Give feedback.
-
|
As a side note, I'll add this here as well - a great write-up and comparison of the various ways tokens may be stored in browsers. See in particular the |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the replies! We have decided that we will use the library. Keep up the good work! 😊 |
Beta Was this translation helpful? Give feedback.
Okay, I'll agree that there might be an XSS-related issue in having them in browser storage, but only if the application is already XSS vulnerable. Having them stored there does not create the XSS-vulnerability.
I'm sure @soofstad can elaborate and give clearer arguments for why this choice was made, but as far as I can see, LocalStorage is the recommended storage solution for OAuth2 PKCE.
Two sources I found after a quick google search:
For the last one, the comment above disagrees with the one I linked, so I guess there is some debate on the subject.