我正在尝试为基于JavaScript的应用程序实现RFC 6749(OAuth 2.0)中描述的授权代码流程。我知道我应该使用Web服务器后端作为机密客户端,以便它可以保护访问令牌并刷新授权服务器返回的令牌,而不是将它们传递给JavaScript前端。然后,从前端到任何受保护资源的所有请求都通过Web服务器后端进行,后端将访问令牌附加到请求并代理它。
我的问题是如何让JavaScript前端以安全的方式使用这些令牌?我假设我必须做一些事情,比如在Web服务器上设置会话并传回一个标识会话的cookie。但这意味着JavaScript应用程序会有一个cookie,它给予他们相同的权限,就好像他们只能直接访问存储在Web服务器中的承载令牌一样。如何使用Web服务器来保存令牌可以提供额外的安全性?
答案 0 :(得分:0)
虽然我同意 Alexandre Fenyo 的评论,但我只想添加 2021 版本。您不应再使用 module.exports = {
"root": true,
"overrides": [
{
"files": ["*.ts"],
"parserOptions": {
"project": [
"src/tsconfig.app.json",
"src/tsconfig.spec.json",
"e2e/tsconfig.json"
],
"createDefaultProgram": true,
"tsconfigRootDir": __dirname,
},
"extends": [
"plugin:@angular-eslint/recommended",
// This is required if you use inline templates in Components
"plugin:@angular-eslint/template/process-inline-templates",
'plugin:@typescript-eslint/recommended',
],
"rules": {
/**
* Any TypeScript source code (NOT TEMPLATE) related rules you wish to use/reconfigure over and above the
* recommended set provided by the @angular-eslint project would go here.
*/
"@angular-eslint/directive-selector": [
"error",
{ "type": "attribute", "prefix": "app", "style": "camelCase" }
],
"@angular-eslint/component-selector": [
"error",
{ "type": "element", "prefix": "app", "style": "kebab-case" }
]
}
},
{
"files": ["*.html"],
"extends": ["plugin:@angular-eslint/template/recommended"],
"rules": {
/**
* Any template/HTML related rules you wish to use/reconfigure over and above the
* recommended set provided by the @angular-eslint project would go here.
*/
}
}
]
,因为这是 no longer considered secure。
对于这样的场景,JavaScript 应用程序必须处理令牌,我建议改用 implicit flow
:https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce