Securing Single Page Applica ons with Token Based Authen ca on
advertisement
Securing Single Page
Applica/ons with
Token Based Authen/ca/on
StefanAchtsnit
WeAreDevelopersConference
April2016
Outline
• SinglePageApplica9onSecurity
• TokenBasedAuthen9ca9on
ClientTokens
JSONWebTokenformat
• WebApplica9onSecurity101
Cross-sitescrip9ng
Cross-siterequestforgery->Doublesubmitcookie
• Implementa9onChallenges
Whoshouldbeinchargeoftheauthen9ca9ontoken–JS
clientorBrowser?
Howtorevokeissuedtokens?
Single Page Applica/on Security
• nosensi9veinforma9onlikekeysonclients
• preventmaliciouscodefromrunninginyour
applica9on(Cross-sitescrip9ng–seeupcomingslide)
• secureusercreden9als(Man-in-the-middleaRacks)
• striveforconsistentauthoriza9on,i.e.UIrendering
basedonsamerulesasusedforAPI(ClientTokens)
Client Tokens
• self-containedsetofclaimsthatassertaniden9tyand
ascopeofaccessthatcanbeshared(nosilo)
{
"subject":"jdoe",
"name":"JohnDoe",
"admin":true,
"expira9on":12-04-201623:55UTC
}
• signedandop9onallyencrypted
• flexible,e.g.extendwith"issuer“claimforverifica9on,
addapplica9onspecificACLs
• stateless(tokenrevoca9on-seeupcomingslide)
JSON Web Token (JWT) format
• defactostandardtokenformat
• signwithstrongkeyandalwaysverifytoken
• encryptforsensi9veinforma9on(JSONWebEncryp9on)
• securityconsidera9onsasforsessioniden9fiers
);</script>
Cross-site scrip/ng (XSS)
• aRackerpushesmaliciousJScodeintoapplica9on
• canonicalexample:scripttaginusercomment
• variouscategorieslikestored,reflectedorDOM-based
aRacks
• OWASP-XSSPreven9onCheatSheet
• alwaysvalidateuserinputandescapeeverything
• becarefulwithdynamicallyloadedJSON,CSS,HTML
templates,…
• ContentSecurityPolicy(CSP)
• 3rdpartyJSlibrariesares9llproblema9c,everything
accessiblebyJSliketokensstoredinwebstoragemay
beexposed->possiblealterna9ve:usecookiestorage
withHRpOnlyflagfortokens
Cross-site request forgery (CSRF)
• browserautoma9callysendscookiessetonagivendomainwithevery
requestmadetothatdomain(regardlessofwherethoserequests
originated)
• OWASP-CSRFPreven9onCheatSheet
• nosideeffectswithHTTPGET
• useDoublesubmitcookiewithHTTPPOSTforSPAs
Double submit cookie
• createrandomvalueduringauthen9ca9onprocess
• addthisvalueasaddi9onalclaimtotheprovidedclienttoken
e.g.{
"subject":“jdoe",
"name":"JohnDoe",
"admin":true,
"expira9on":12-04-201623:55UTC,
"xsrfToken":63be08af-0264-47af-b2b9-6d56e8f6428a
}
• putthisvalueinfurtherauthen9ca9oncookie(withHRpOnlycookie
flagsettofalse),sothatJSclientcanreadvalueandforwarditwith
correspondingHTTPheaderinsubsequentrequests
• serversideAPIcodecancompareclienttokenclaimwithsubmiRed
HTTPheadervalueduringtokenverifica9on(stateless!)
• protec9onbasedonsame-originpolicyforcookies-onlyJScode
runningontheorigindomaincanreadthissecondcookie!
Request Flow Example
Who is in charge of the token?
JSclient
Browser
Transmission
Authorization: Bearer <JWT>
Cookie: token=<JWT>
Storage
variousop9ons,e.g.
cookiestorage
• webstorage(accessibleonly
fromstoringsubdomain,5MB
limit)
• cookiestorage(accessiblefrom
mul9plesubdomains,4KBlimit)
MITM
SSLmustbemanagedbycode
SecurecookieflagforcesSSL
XSS
manualcodingeffort
implicitwithHRpOnlycookieflagto
preventJSaccess
CSRF
notapplicable
manualcodingeffort(e.g.Double
submitcookie)
manualcodingeffort,onlywhen
automa9callysent,overheadwhen
necessary,workswithanydomain notnecessary,notpossibleacross
(Cross-OriginResourceSharing)
domainsi.e.withexternalAPIs
How to revoke tokens?
Renewalapproach
Blacklis6ngapproach
Characteris9c
stateless
stateful
Mechanism
twokindsoftokensused:Access Iden9fier("j9"claim)addedtoAccess
Tokensasusualwithashort
Tokenandcheckedagainstblacklist
expira9onandRefreshToken
duringtokenverifica9on
withalongerexpira9onforthe
renewalofAccessTokenswhen
theyexpire(OAuth2!)
Consequence
clientflowimplementa9onnot
trivial,addi9onalserverlogic
onlywithinauthen9ca9onAPI
transparentforclient,blacklistmust
beavailabletoallserverAPIs
Recommenda/on
• followatokenbasedapproachwithJWT
• avoidcross-domainarchitectureifpossible
• CSRFprotec9oniseasytogetright,XSSprotec9oniseasytogetwrong
storetokenincookiewithHRpOnly(XSS)andSecureflag(MITM)
useDoublesubmitcookie(CSRF)
• startwithasimpletokenrevoca9onmechanism
• doyourhomeworkanddon’treinventtheworld
OpenWebApplica9onSecurityProject(OWASP)
hRps://www.owasp.org/index.php/Top_10_2013
hRps://www.owasp.org/index.php/XSS_%28Cross_Site_Scrip9ng
%29_Preven9on_Cheat_Sheet
hRps://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF
%29_Preven9on_Cheat_Sheet
JSONWebToken
hRps://jwt.io
Thankyou!
