Reputation: 2137
MSAL Token Replay
Does the msal library prevent token replay attacks?
How does it stop someone from taking the access token from the redirect URL and using it in another application?
I'm not sure if Azure AD handles the protection or Microsoft Authentication Library (MSAL) Microsoft
Upvotes: 1
Views: 1243
Answers (1)
Reputation: 58723
How does it stop someone from taking the access token from the redirect URL and using it in another application?
MSAL can't really do anything about something accessing the URL. That's the browser's duty. Same-origin policy requires that only script on a page with the same origin can access the URL of an iframe. So even if I put an iframe on my website that did hidden login for one of your apps, I wouldn't be able to get the token if the redirect URL is on a different hostname from mine.
So let's say your app has one reply URL configured: https://yoursite.com/aad-callback.
If I wanted to take the token, my site would need to be hosted on yoursite.com.
There is no way for me to ask AAD to return the token to another URL.
Another choice would be to intercept it in flight to your app.
But that would require man-in-the-middling the TLS connection.
If someone can do that, you have bigger problems.
Replay attacks are prevented by using nonces, a new value is set in each authentication request: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/3fb9ce5a16ea462336eee62b496dfae8611f0fbc/lib/msal-core/src/AuthenticationRequestParameters.ts#L39
Upvotes: 4
Related Questions
- MSAL access token invalid signature
- MSAL authentication token issues
- access token / refresh token with MSAL
- MSAL token expires after 1 hour
- Reuse access token from MSAL in web view
- How to get refresh token in MSAL .Net C#
- how can I get refresh token
- MSAL + OAUTH token refresh
- Version problem using MSAL to access Azure AD and get back an auth id token
- Refreshing token through msal.js