New post
Question
· Apr 18, 2019

How to add Access token (JWT) on Client Web Server Side instead of Browser's local storage.

#InterSystems IRIS

Hi Team,

I am using Angular 7 with angular material for my client application that connects and obtains Access token from IRIS Authorization Server (OAUTH 2.0).  The problem that I am facing right now is regarding this access token being exposed to browser and stores in the local storage of the browser.

Right now, I am having hard time finding an alternative but secure option to store access token on the server side (client WEB SERVER) instead of browser’s local storage. 

Following are the suggestions that I have googled recently, not sure if there is any better way that I need to explore.
 

  • A WEB Server-side session that maintains sensitive data User IDs, Session IDs,,JWTs, API keys, etc.
  • Store in cookies with “httpOnly” option which also less vulnerable to XSS attacks
  •  indexedDB solution which also has some caveats

 

Please let me know if anyone has implemented a better and secure way of storing token information on the server side (Client Web server) and incorporated the information in client application to send token inside the  HTTP (Header) request for consuming REST APIs.

 

Please share some code if you have them handy to understand and implement the expected concept properly.

Any guidelines or lead would be really appreciated.

Discussion (1)0
Log in or sign up to continue
Daniel Kutac · Apr 24, 2019

Hello Muhammad,

first of all, I'm not able to give you a complete answer, but hope to have some thoughts that may help you.

I'm not an angular nor web developer either, so I have to trust Google, too. According to others (Google) it is indeed difficult to secure information in browser's storage. Besides suggestions like using sessionStorage instead of localStorage, not letting other people to come to your PC and use your open session or ultimately, requiring authentication before each call to resource server, perhaps it might make a sense to pass, together with access token, another parameter in the header, that would change between requests in an exact manner that only resource server and your client know (client using code encapsulation to make it difficult for attacker to find in external files).

Storing access code at the web server app means that you'd need to add to you angular client also something like CSP application or some other server side application. this would make things more complicated to maintain.

Dan

0 0