Reputation: 665
Spring OAuth2 Password Flow , Return JWT inside HTTP Only Cookie?
I am using AuthorizationServerConfigurerAdapter to configure my OAuth2 password flow where I am successfully creating a JWT token. I am using my OAuth2 within my Spring REST backend and pairing it with my Angular 2 fronted.
I have read several articles (eg. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage) where people are putting the JWT inside a HTTP only cookie returned to the Angular front end to prevent XSS scripting and it is of interest to me. I am confused how to integrate or intercept my jwt being returned and place this inside a http only cookie and return it.
Any Suggestions?
John
Upvotes: 0
Views: 604
Answers (1)
Reputation: 58124
I wouldn't recommend using password flow at all, especially in a browser client. OAuth2 was designed so that you can avoid that, and thus avoid giving user credentials to an untrusted agent. If you let go of password grants, you will find that a session cookie is just as secure as your JWT cookie proposal, and it works out of the box with no funny business on client or server.
Upvotes: 0
Related Questions
- Spring security JWT without OAuth
- Spring-security - httponlycookie into existing jwt intergration?
- How to declaratively use authorization with JWT in Spring 5 controller?
- Spring RESTful web service auth
- Spring boot + Oauth2 + Jwt
- Return JWT token from successful authentication
- Simply authentication with JWT in Spring Boot
- Spring Security Cookie + JWT authentication
- Spring OAuth + JWT -- /oauth/token
- OAUTH2 server with spring and jwt