如何在Web应用程序中保护承载令牌

时间:2017-08-11 00:27:47

标签: rest oauth-2.0

我正在尝试为基于JavaScript的应用程序实现RFC 6749(OAuth 2.0)中描述的授权代码流程。我知道我应该使用Web服务器后端作为机密客户端,以便它可以保护访问令牌并刷新授权服务器返回的令牌,而不是将它们传递给JavaScript前端。然后,从前端到任何受保护资源的所有请求都通过Web服务器后端进行,后端将访问令牌附加到请求并代理它。

我的问题是如何让JavaScript前端以安全的方式使用这些令牌?我假设我必须做一些事情,比如在Web服务器上设置会话并传回一个标识会话的cookie。但这意味着JavaScript应用程序会有一个cookie,它给予他们相同的权限,就好像他们只能直接访问存储在Web服务器中的承载令牌一样。如何使用Web服务器来保存令牌可以提供额外的安全性?

1 个答案:

答案 0 :(得分:0)

虽然我同意 Alexandre Fenyo 的评论,但我只想添加 2021 版本。您不应再使用 module.exports = { "root": true, "overrides": [ { "files": ["*.ts"], "parserOptions": { "project": [ "src/tsconfig.app.json", "src/tsconfig.spec.json", "e2e/tsconfig.json" ], "createDefaultProgram": true, "tsconfigRootDir": __dirname, }, "extends": [ "plugin:@angular-eslint/recommended", // This is required if you use inline templates in Components "plugin:@angular-eslint/template/process-inline-templates", 'plugin:@typescript-eslint/recommended', ], "rules": { /** * Any TypeScript source code (NOT TEMPLATE) related rules you wish to use/reconfigure over and above the * recommended set provided by the @angular-eslint project would go here. */ "@angular-eslint/directive-selector": [ "error", { "type": "attribute", "prefix": "app", "style": "camelCase" } ], "@angular-eslint/component-selector": [ "error", { "type": "element", "prefix": "app", "style": "kebab-case" } ] } }, { "files": ["*.html"], "extends": ["plugin:@angular-eslint/template/recommended"], "rules": { /** * Any template/HTML related rules you wish to use/reconfigure over and above the * recommended set provided by the @angular-eslint project would go here. */ } } ] ,因为这是 no longer considered secure

对于这样的场景,JavaScript 应用程序必须处理令牌,我建议改用 implicit flowhttps://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce