Reputation: 81
Where to store refresh token safely
This where to store - access token and refresh token in OAuth 2.0 is the answer I was looking for but I have something that's not clear to me or maybe I'm just overthinking it.
Let's say I have a website X that calls a REST api and stores the refresh token in the browser as an HttpOnly cookie. If a malicious man M gets into some other guys computer that's already logged in X as U, M can go and look for the cookie and steal that refresh token. Then M will be able to retrieve all the tokens he wants for U, he will just need the client Id and client secret of that application, which he can get from any other user of the application, for example he himself M by just looking at the value of the header when a GET new access token call is made. Is that correct ?
Upvotes: 2
Views: 4302
Answers (1)
Reputation: 8421
You should not use the Authentication Code grant in application running in browser. The Implicit grant is designed for such applications:
- To get an access tokens from a refresh token, you need to make a request to the
/tokenendpoint which requires authentication (client ID and client secret) and you cannot keep the secret safe in a browser. - The
/tokenendpoint usually doesn't support CORS headers - you cannot access it by JavaScript XHR calls. - To get a new access token when the original one expires, you can use the
prompt=none/authrequest parameter.
Upvotes: 1
Related Questions
- Where to store the refresh token on the Client?
- How to secure a refresh token?
- Where to store the refresh token safely
- How to save refresh tokens?
- Implementing OAuth Refresh Tokens that never expire
- OAuth2 Refresh Token. How to store it on client-side
- Where to store Refresh Token and Client Secret safely?
- Where to store refresh_token for SPA/REST app with third-party OAuth2 service?
- How to persist OAuth 2 refresh tokens
- PHP Console Application with OAuth 2.0 Refresh Tokens, how to store?