Best place to store authentication tokens client side
I think using a SSL certificates should do your job, there publications here explaining their usages and what they do: http://www.rfc-base.org/rfc-6101.html.
http://ceur-ws.org/Vol-313/paper9.pdf please read this.. If your trying to implement something against best practice that is not generic. Then your will have problems later down the line supporting your client.
There are two ways you can save authentication information in the browser:
- HTML5 Web Storage
In each case, you have to trust that browsers are implemented correctly, and that Website A can't somehow access the authentication information for Website B. In that sense, both storage mechanisms are equally secure. Problems can arise in terms of how you use them though.
- The browser will automatically send the authentication information with every request to the API. This can be convenient so long as you know it's happening.
- You have to remember that CSRF is a thing, and deal with it.
If you use HTML5 Web Storage:
The big difference people care about is that with cookies, you have to worry about CSRF. To handle CSRF properly, you usually need an additional "synchronizer token".
Some other differences are discussed here.
edit a google search reveals this for asp.net - they call the synchronizer token a "request verification token".
The best way to protect your access token is to not store it client-side at all.
How does that work? Well at the point of generating the access token, generate some other cryptographically secure PRNG (which you map to the access token on the server), map this to the users session ID and return this to the client instead.
This will reduce the attack area because what you are now returning is a token tied to a session, and both would be required in order to authorise the token. When the session expires so does the token, naturally, and the user would be forced to re-authenticate thus generating a new access token.
It's still not 100% secure, however, you need to weigh up the possibility of something like that happening within a users session. Based on that, you can then tweak your session/token expiry times to suit, although you also need to be wary of usability - you don't want to be expiring sessions after 5 minutes as having to log back in constantly can be tedious (or maybe you can, depends on the type of application).
@jfamvg I'm not suggesting you don't store *a* token on the client, I'm saying don't store the *private* access token there. Generate a public token and send that instead.
I have to send the literal token to the WebAPI, so I need to make an additional call to the server to get the token form the private token to send that to my WebAPI.
I don't understand the distinction between a public and private token. In OAuth a token is a token. If you can use it to make a request to WebAPI then what protection are you offering here? Are you assuming there is some information in the token that needs to be protected? If you are using Katana's OAuth provider, it handles that by encrypting the claims that make up the token.
@EdGreaves was a while ago now but based on the question, the assumption was the user had a "sensitive" token that they didn't feel comfortable storing on the client. My suggestion was simply don't store the token client-side at all if that's the case, store what would be effectively a public key that could be mapped to a private one on the server. If the public key was ever compromised there would be no concern about internal data being leaked. You still of course have the issue that the key could be used for malicious purposes but that's a whole different issue.
@James Isn't that just a session then? What's the point of storing the token on the server and having some key / ID on the client side to reference it?
Isn't an access token just a cryptographically secure randomness, though?
I'd store the token in a cookie with the following three flags: 1. Secure: transmit over https 2. HttpOnly: client-side JS cannot read it (XSS protection) 3. SameSite (either Lax or Strict): CSRF protection
In this way you are immune to XSS and CSRF. You only need to be careful about SameSite, as it is relatively new and only got recently supported by the 4 major browsers (Chrome, FF, Safari, Edge) see: https://caniuse.com/#feat=same-site-cookie-attribute
For more info regarding cookie hardening see https://odino.org/security-hardening-http-cookies/
Alex's blog must be informative.
A server dies every time someone implements OAuth in a single page is web app. Stop the genocide! Use a server side proxy! Act now!
That article does not make sense. How will the proposed proxy server differentiate between the "real user" and the "attacker"? All http requests can be faked. CSRF just needs one-extra http call to obtain csrf token. Only solution to author's problem can be captcha and rate-limiting. Please explain if I am wrong.
You need to send the token to server in every requset. So it doesn't matter you store it in cookie or html 5 storage. Both are secure storages and eveyone who has access the client machine has access to the token too anyway.
But I recommend do not use the submitted token in cookie on your server to prevent CSRF attack. I think it is good idea to manually include the token in every request you make whenever required.
Using cookie also makes the request header bigger which is not appropriate.
This is conflicting. How can you include a token in every request and at the same time not include it in the `Cookie:` HTTP header? Well, you could make your own `X-Something:` header, but that is probably worse since you need to maintain the code for the storage of the content of the header.