Reputation: 46940
What secures access credentials inside a single page webapp (SPA)?
Scenario
Suppose a hacker using a single page webapp https://example.com?secure=maybe has authenticated and obtained a OpenID Connect token that is used to access micro services.
The hacker manages to fish these credentials out of the application. (Follow up question on that here)
The hacker creates another application running on localhost that loads the credentials obtained. The hacker also points localhost to https://example.com in /etc/hosts such that now opening the address https://example.com runs the hackers web application instead of the real one.
Question
Can the hackers application now use the OpenID Connect token to access the same microservices that the original application uses it for?
The obvious answer seems like no because https://example.com still resolves to the localhost ip address, and that's the only address that the browser knows to talk to, but just wanted to make sure that's the case by asking...
Upvotes: 0
Views: 164
Answers (1)
Reputation: 10986
You can and perhaps should use the Authorization Code Grant with SPA apps along with the (Since there is no client Secret) Proof Key for Code Exchange by OAuth Public Clients.
Upvotes: 1
Related Questions
- which Oauth flow is good for Token authentication with javascript SPA
- How to securely implement authentication in Single Page Applications (SPAs) with a decoupled API
- Single Sign On (SSO) solution/architecture for Single Page App (SPA)
- Securing Api Calls without OAuth2 client credentials flow in a SPA application
- How to handle authorization and authentication on SPA with OAuth2?
- Single Page Web App & appropriate oauth authorization flow
- Authenticating users via OAuth 2.0 from a trusted SPA?
- How to protect sensitive data on a SPA using JWT tokens
- The secure enough and simplest way of authentication for SPA
- REST API: Securely Handle Authentication in a Javascript SPA