Best practices for storing tokens (2024)

Table of Contents
Token types Client types Security risks Traditional web app / SPAoptions Cookies Local/session storage SPA-onlyoptions Backend for frontend (BFF) JavaScript memory Workers

This topic discusses best practices and recommendations for securely storing CyberArk Identity OpenIDConnect (OIDC) tokens in your applications.

Token types

Three types of OIDC tokens are used with CyberArk Identity: access tokens, ID tokens, and optional refresh tokens.

Access and refresh tokens have two main use cases:

  • When a client application needs to call one or more CyberArk Identity APIs.

    In this use case, CyberArk Identity serves as both the OAuth 2.0 authorization server and resource server. The client acquires tokens from the authorization server, and then includes them in any API requests.

  • When a client application secures its APIs using CyberArk Identity tokens.

    In this use case, CyberArk Identity is the authorization server while the third-party API is the resource server.

For a more detailed description of each token, see:

  • Access tokens

  • ID tokens

  • Refresh tokens

Client types

Two types of clients are defined in the OAuth 2.0 specification: confidential and public clients. The distinction between clients stems from secret storage. Secrets allow registered clients to make authorized calls to an OAuth 2.0 authorization server.

  • Some clients, such as servers, can store these secrets without the risk of users exposing them. These are known as confidential clients.

  • Public clients, including native, mobile and browser-based applications, cannot securely store such secrets. These clients should use OAuth 2.0 flows that do not store registered secrets in the UI.

We recommend against storing IDtokens. If you must do so, ensure that you clear the tokens when users log out or delete accounts.

In contrast to traditional web apps, single-page applications (SPAs) require client-side API calls to process user interactions.

See Also
How to Validate an OpenID Connect ID Token | CurityID Token StructureWhat Is OpenID Connect (OIDC)? | Microsoft SecurityOpenID Connect client and token propagation quickstart

For SPAs that make APIcalls to one or more servers on a different domain, access tokens are necessary. You may also choose to use refresh tokens.

Recommended Flow: Authorization Code Flow with PKCE

SDK: CyberArk Identity JavaScript SDK

You should store and access tokens exclusively through the OS's secure storage mechanism. Use Keychain for iOSapps and KeyStore for Android apps.

Recommended Flow: Authorization Code Flow with PKCE

SDK: CyberArk Identity SDK for iOS / CyberArk Identity SDK for Android

For web applications rendered entirely server-side, there are no browser-based APIcalls needed to populate the user interface.

These types of apps are often known as traditional web apps. Traditional web apps still require access and refresh tokens. However, they do not need to be stored in the client because the back end performs the APIcalls.

We recommend storing tokens on the server, as this offers traditional web apps the maximum level of security. If this cannot be done, you should use encrypted session cookies so the client cannot read token values.

Recommended Flows: Authorization Code Flow (PKCE is recommended but optional)

Security risks

Keep two well-known vulnerabilities in mind when storing tokens: Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks.

  • XSSattacks enable attackers to inject malicious JavaScript into a browser so that important information, such as tokens, can be stolen.

  • CSRF attacks enable attackers to cause an authenticated user's browser to issue requests that modify the application state.

Traditional web app / SPAoptions

You can use the following storage options in both traditional web apps and single-page applications (SPAs):

  • Cookies

  • Local/session storage

Cookies

Cookies are one of the most established and time-tested methods of storing user information. However, you should take care to mitigate both XSSand CSRF attacks.

Advantages

Disadvantages

Cookies are vulnerable to both XSSand CSRFattacks. However, you can prevent these attacks in several ways:

  • Use httpOnly cookies to ensure that only the server can access cookie contents. This prevents XSSattacks from hijacking tokens stored in cookies.

  • Use an anti-CSRF protection mechanism, such as an X-CSRF-Token HTTPheader containing the cookie's value. Most web app frameworks provide built-in support for CSRFtoken verification.

  • In combination with CSRFtokens, set the SameSite attribute of cookies to either Lax or Strict to limit their inclusion in cross-site requests.

  • If your application uses cross-origin resource sharing (CORS)to allow cross-domain requests, ensure that request headers are properly set to further prevent CSRF attacks.

Local/session storage

Local storage enables you to save key-value pairs in a reserved section of browser memory. This section of memory follows a same-origin policy, preventing other domains from accessing its contents.

Your application's JavaScript can use the window.sessionStorage property to access it.

Differences between local and session storage

Local and session storage implement the same Storage JavaScript interface. However, keep in mind the following differences:

  • Local storage persists until a user clears their browser data, while session storage persists until a user closes their tab or window.

  • Local storage can be accessed across windows or tabs. Session storage is limited to a particular window or tab.

Advantages

  • Both storage options are immune to CSRF attacks.

Disadvantages

  • Local and session storage are vulnerable to XSS attacks. However, you can prevent this in two ways:

    • Implement refresh token rotation, which requires a new refresh token to be used each time an access token is requested.

    • Shorten the lifespan of refresh tokens to limit the potential impact of token theft.

  • Tokens stored in localStorage or sessionStorage must be explicitly included with requests using JavaScript.

SPA-onlyoptions

You can use the following storage options in SPAs:

  • Backend for frontend (BFF)

  • JavaScript Memory

  • Workers

Backend for frontend (BFF)

With SPAs, it is recommended to use the backend for frontend (BFF) pattern.

Other storage options expose SPAs to vulnerabilities, and though mitigations exist, they do not completely eliminate the threat of token theft.

With BFFs, you can offload token storage entirely to a backend client. This client can securely acquire and store tokens in order to proxy API requests on behalf of the user.

Best practices for storing tokens (1)

The following flow describes the role of the BFF:

  1. The user accesses an SPA in their browser.

  2. The user clicks a login button, causing the SPA to redirect to an endpoint on the BFF, such as /bff/login.

  3. The BFF initiates the standard OpenIDConnect (OIDC) authentication flow.

  4. After the user authenticates with the OIDC provider, the access, ID, and refresh tokens are stored in the BFF.

  5. The backend issues a first-party cookie to the SPA.It is configured as SameSite: 'Strict', httpOnly, and Secure.

    In effect, this cookie creates a sandbox between the SPA and backend for the duration of the user's session.

  6. To issue a request to a protected API, the SPAcalls the BFF with the desired endpoint and payload.

  7. The BFF appends the user's access token and proxies the request to the appropriate API.

  8. The APIresponse is forwarded to the SPA.

Advantages

  • Never stores the token in the browser; thus, eliminating the risk of client-side token theft

  • Widely considered the best practice for modern SPAs

Disadvantages

  • Requires additional infrastructure to host the BFF, which can increase cost and complexity

JavaScript memory

Advantages

JavaScript memory is accessible only by your web app's JavaScript, eliminating the possibility of XSSand CSRFattacks.

Disadvantages

Data stored in memory does not persist across page refreshes, so special care must be taken to ensure that users are not logged out. You can, however, solve this by storing refresh tokens in httpOnly cookies. The application can then use them to request new access tokens when the page is refreshed.

Workers

Workers allow you to run JavaScript code in the background without sharing any memory. This is useful for ensuring that sensitive information, such as tokens, cannot be accessed.

Advantages

Workers are inaccessible to other JavaScript, making them resistant to XSSand CSRFattacks.

Disadvantages

Workers are not supported by some older browsers, though this is becoming less of an issue.

Best practices for storing tokens (2024)
Top Articles
Scarcity Mindset: Causes and How To Overcome It
7 Facts About Divorce After a Long-Term Marriage | Iafrate & Salassa, P.C. | Birmingham Divorce Lawyers
Ups Stores Near
Room Background For Zepeto
Booknet.com Contract Marriage 2
Craigslist Mpls Mn Apartments
Sam's Club Gas Price Hilliard
DL1678 (DAL1678) Delta Historial y rastreo de vuelos - FlightAware
Smokeland West Warwick
Campaign Homecoming Queen Posters
Qhc Learning
Sport Clip Hours
Simon Montefiore artikelen kopen? Alle artikelen online
Huge Boobs Images
Craiglist Galveston
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist
Best Forensic Pathology Careers + Salary Outlook | HealthGrad
Curry Ford Accident Today
Nurse Logic 2.0 Testing And Remediation Advanced Test
Indystar Obits
Jeff Now Phone Number
THE FINALS Best Settings and Options Guide
What Are The Symptoms Of A Bad Solenoid Pack E4od?
Bn9 Weather Radar
Avatar: The Way Of Water Showtimes Near Maya Pittsburg Cinemas
Meridian Owners Forum
The 15 Best Sites to Watch Movies for Free (Legally!)
Angel Haynes Dropbox
Tomb Of The Mask Unblocked Games World
Jamielizzz Leaked
Solo Player Level 2K23
Pixel Combat Unblocked
Fastpitch Softball Pitching Tips for Beginners Part 1 | STACK
Metra Union Pacific West Schedule
Babbychula
The Bold And The Beautiful Recaps Soap Central
Skill Boss Guru
Michael Jordan: A timeline of the NBA legend
Busch Gardens Wait Times
Spn-523318
Weather In Allentown-Bethlehem-Easton Metropolitan Area 10 Days
Unveiling Gali_gool Leaks: Discoveries And Insights
2024-09-13 | Iveda Solutions, Inc. Announces Reverse Stock Split to be Effective September 17, 2024; Publicly Traded Warrant Adjustment | NDAQ:IVDA | Press Release
Television Archive News Search Service
Jackerman Mothers Warmth Part 3
Theater X Orange Heights Florida
Zadruga Elita 7 Live - Zadruga Elita 8 Uživo HD Emitirani Sat Putem Interneta
Lira Galore Age, Wikipedia, Height, Husband, Boyfriend, Family, Biography, Net Worth
Kobe Express Bayside Lakes Photos
Lake County Fl Trash Pickup Schedule
Ranking 134 college football teams after Week 1, from Georgia to Temple
Dinargurus
Latest Posts
Back to Basics – Termination or Layoff – ALT HR Partners
Washington State Department of Health – Office of Radiation Protection
Article information

Author: Jerrold Considine

Last Updated:

Views: 6530

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Jerrold Considine

Birthday: 1993-11-03

Address: Suite 447 3463 Marybelle Circles, New Marlin, AL 20765

Phone: +5816749283868

Job: Sales Executive

Hobby: Air sports, Sand art, Electronics, LARPing, Baseball, Book restoration, Puzzles

Introduction: My name is Jerrold Considine, I am a combative, cheerful, encouraging, happy, enthusiastic, funny, kind person who loves writing and wants to share my knowledge and understanding with you.