SPA 中刷新令牌 Cookie 的 CSRF 保护 [英] CSRF Protection for Refresh Token Cookie in SPA
问题描述
我在 AngularJS SPA 中使用资源所有者密码凭据 OAuth 2.0 流程.有几篇文章(这里,这里 ..) 和 这个问题 解释了我们不应该将刷新令牌存储在(Web)客户端(LocalStorage)上,而是将它们加密存储在 HttpOnly Cookie 中并使用代理 API,我们在其中实现对刷新令牌的解密将其转发到安全令牌服务.
I am using the Resource Owner Password Credentials OAuth 2.0 flow in a AngularJS SPA. There are several articles (here, here..) and the answer to this question that explain that we should not store refresh tokens on the (web) client (LocalStorage), but store them encrypted in an HttpOnly Cookie and use a proxy API where we implement the decryption of the refreh token to forward it to the security token service.
大多数文章都暗示我们应该通过使用一种常见的保护机制来关心 CSRF.我想知道单页应用程序中的最佳解决方案是什么.
Most articles give a hint that we should care about CSRF by using one of the common protection mechanisms. I'm wondering what's the best solution in a Single Page Application.
Angular $http 参考解释了我们应该如何应对 CSRF 的默认机制:服务器必须设置一个名为 XSRF-TOKEN
的 cookie.此 cookie 必须是 Javascript 可读的,以便我们可以在我们的请求中设置 X-XSRF-TOKEN
HTTP 标头.这种机制是否足以保护refreh令牌场景?
The Angular $http reference explains the default mechanism how we should counter CSRF: The server has to set a cookie called XSRF-TOKEN
. This cookie has to be Javascript readable, so that we can set the X-XSRF-TOKEN
HTTP header in our requests. Is this mechanism sufficient to protect the refreh token scenario?
第一次启动应用程序.没有可用的访问令牌或 cookie,我们必须使用用户名和密码登录.
api/login
为我们提供了一个保存在内存中的访问令牌并设置了两个 cookie.HttpOnly 刷新令牌 cookie,以及 JS 可读的XSRF-TOKEN
cookie.
Start the application the first time. No access token nor cookie available, we have to login with username and password.
api/login
gives us an access token that we keep in memory and sets two cookies. The HttpOnly refreh token cookie, and the JS readableXSRF-TOKEN
cookie.
访问令牌过期.调用 api/token
验证 XSRF-TOKEN
并使用令牌 cookie 返回新的访问令牌;设置一个新的刷新 cookie
The access token expires. A call to api/token
validates XSRF-TOKEN
and uses the token cookie to return a new access token; sets a new refresh cookie
从 AppCache
重新启动应用程序.内存中没有访问令牌,但 cookie 可用.使用 api/token
...
Restart the application from AppCache
. No access token in memory but cookies available. Use api/token
...
坏人想偷我们的refreh cookie.准备好的页面使用我们的 cookie 向 api/token
发出请求,但没有 X-XSRF-TOKEN
HTTP 标头.
Bad guy wants to steal our refreh cookie. A prepared page makes request to api/token
with our cookies, but no X-XSRF-TOKEN
HTTP header.
有任何严重的安全问题吗?
Any serious security issues?
推荐答案
据我所知,最好的方法是服务器在内部渲染 index.html 和 CSFR 令牌,然后作为标准的 AngularJS SPA 运行.所以 index.html
然后用后端服务/框架生成的 CSFR 令牌来丰富.SpringSecurity 为将令牌注入模板提供了很好的支持.
As far as I know the best way to do this is when server renders index.html with the CSFR token inside and after that you function as standard AngularJS SPA. So the index.html
is then enriched with CSFR token generated by backend service / framework. SpringSecurity provides nice support for this injecting tokens to the templates.
之后,您可以使用 javascript 从模板中获取令牌,并使用 httpInterceptor
's, 将其设置为标头中的所有
钩子.(或饼干)?我不记得清楚什么是正确的方法,但我确定它在你上面提到的文章中有所描述)$http
请求请求
After that, you can get the token from the template with javascript and set it to all your $http
requests in headers by using httpInterceptor
's, request
hook. (or cookie)? I don't remember clearly whats the proper way but I am sure it is described in articles you mentioned above)
这篇关于SPA 中刷新令牌 Cookie 的 CSRF 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!