为什么刷新令牌被认为对 SPA 不安全? [英] Why are Refresh Tokens considered insecure for an SPA?

问题描述

我正在阅读 Auth0 站点上关于 Refresh Tokens and SPA，并且他们声明 SPA 不应使用刷新令牌，因为它们无法安全地存储在浏览器中，而应使用静默身份验证来检索新的访问令牌.

<块引用>

单页应用程序(通常实施隐式授权)在任何情况下都不应获得刷新令牌.原因是这条信息的敏感性.您可以将其视为用户凭据，因为刷新令牌允许用户基本上永远保持经过身份验证.因此，您无法在浏览器中获得这些信息，必须安全地存储这些信息.

我很困惑.根据我的理解，检索新访问令牌的唯一方法是向 Auth 服务器提交新请求，以及某种形式的 Auth0 会话 cookie 以验证登录用户的身份.收到会话 cookie 后，Auth0然后服务器将能够发出新的访问令牌.

但这与在浏览器或本地存储中拥有刷新令牌有什么不同?是什么让会话 Cookie 比刷新令牌更安全?为什么在 SPA 中使用刷新令牌是一件坏事?

解决方案

关于 cookie 和刷新令牌以及 OAuth2 存在很多误解.

首先，并非只有机密客户端才能使用刷新令牌.OAuth2 协议规定机密客户端必须进行身份验证，但不需要机密客户端.因此，客户端身份验证在刷新操作中是可选的.请参阅 RFC 6749，第 6 节，刷新访问令牌..>

其次，您必须了解替代方案是什么:

1. 强制用户每 5 分钟(每当访问令牌过期时)输入他或她的用户名和密码
2. 长寿命访问令牌
3. 通过 HTTP Cookie 进行身份验证

世界上不使用刷新令牌的每个人都使用选项 #3.通过 cookie 的身份验证在功能和安全方面 100% 等效于存储刷新令牌.当然，对于令牌和 cookie，它们的保存位置有多种选择:

一个.仅 HTTP，湾安全(需要 TLS/SSL)和C.会话(在内存中)与持久(本地、域存储)

仅限 HTTP"选项仅适用于 cookie，因此可能代表使用 cookie 而非令牌的唯一优势.IE.令牌是通过 Javascript 处理的，所以没有办法让它们远离脚本.也就是说，令牌仅对来自存储它的页面域的 Javascript 可用(或在 CORS 策略允许的情况下).所以这个问题可能被夸大了.

当然，必须注意始终使用 TLS/SSL 传输身份验证 cookie 或令牌.老实说，由于我们知道大多数违规行为发生在私有企业网络内部，因此端到端 TLS 不再是一项基本要求.

最后，cookie 或令牌是否持久化，即存储在关闭浏览器甚至重新启动设备后仍然存在的地方，取决于您在可用性和安全性之间进行的权衡 - 用于您的应用.

对于需要更高安全级别的应用程序，只需将所有内容保存在内存中(即会话 cookie、Javascript 变量中的令牌).但是对于不需要那么多安全性并且真的想要几天或几周的会话寿命的应用程序，那么您需要存储它们.无论哪种方式，该存储都只能由原始域中的页面和脚本访问，因此，cookie 和令牌在功能上是等效的.

I was reading the documentation on the Auth0 site regarding Refresh Tokens and SPA, and they state that SPA's should not use Refresh Tokens as they cannot be securely stored in a browser, and instead use Silent Authentication instead to retrieve new Access Tokens.

A Single Page Application (normally implementing Implicit Grant) should not under any circumstances get a Refresh Token. The reason for that is the sensitivity of this piece of information. You can think of it as user credentials, since a Refresh Token allows a user to remain authenticated essentially forever. Therefore you cannot have this information in a browser, it must be stored securely.

I'm confused. From my understanding, the only way to retrieve a new access token would be to submit a new request to the Auth server, along with some form of an Auth0 session cookie to authenticate the user that is logged in. Upon receiving the session cookie the Auth0 server would then be able to issue a new Access Token.

But how is that any different than having a Refresh Token in the browser or in the local storage? What makes the Session Cookie any more secure than a Refresh Token? Why is using a Refresh Token in an SPA a bad thing?

解决方案

There are a lot of misunderstandings about both cookies and refresh tokens and OAuth2.

First, it is not true that only confidential clients can use a refresh token. The OAuth2 protocol says that confidential clients must authenticate, but does not require confidential clients. Ergo, client authentication is optional on the refresh operation. See RFC 6749, Section 6, Refreshing An Access Token.

Second, you have to understand what the alternatives are:

1. Forcing the user to enter his or her username and password every 5 minutes (whenever the access token expires)
2. Long lived access tokens
3. Authentication via HTTP Cookies

Everybody in the world, who doesn't use refresh tokens, uses option #3. Authentication via cookies is functionally and security-wise 100% equivalent to storing a refresh token. Of course, with both tokens and cookies, there are options for where they are kept:

a. HTTP only, b. secure (require TLS/SSL) and c. session (in memory) vs. persistent (local, domain storage)

The "HTTP only" option applies only to cookies and, thus, may represent the only advantage of using cookies over tokens. I.e. tokens are handled via Javascript, so there's no option to keep them away from scripts. That said, the tokens are available only to Javascript from the domain of the page that stored it (or as allowed by CORS policy). So this issue can be overblown.

Of course, care must be taken to always use TLS/SSL to transmit either authentication cookies or tokens. Honestly, since we know most breaches occur from within the private corporate network, end-to-end TLS is a basic requirement anymore.

Finally, whether cookies or tokens are ever persisted, i.e. stored somewhere that survives closing the browser or even rebooting the device, depends on the trade-off you're making between usability and security - for your application.

For applications that require a higher level of security, just keep everything in memory (i.e. session cookies, tokens in a Javascript variable). But for apps that don't require as much security and really want a session life on order of days or weeks, then you need to store them. Either way, that storage is accessible only to pages and scripts from the original domain and, thus, cookies and tokens are functionally equivalent.

这篇关于为什么刷新令牌被认为对 SPA 不安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！