Skip to content

Commit e514a8d

Browse files
aaronpkaaronpk
authored
Merge pull request #19 from ymajoros/serviceworker-only
about constricting all authentication to a service worker
2 parents e9c6fc1 + 921c35a commit e514a8d

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

draft-ietf-oauth-browser-based-apps.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -376,6 +376,38 @@ Remarks and mitigations:
376376
* To avoid information disclosure from ID Tokens, the application SHOULD be designed to not have any claim that isn't used by the frontend.
377377
* The application designer SHOULD consider not having refresh tokens at all to avoid the risk of giving prolonged access to the attacker.
378378

379+
### Tokens Securely Handled by a Service worker
380+
In this scenario, a [Service Worker](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API) is responsible for obtaining tokens from the authorization server and passing them to the resource API.
381+
382+
Service workers are inherently safe from XSS, because the browser APIs allowing to register one take an origin-constrained URL.
383+
They can thus be used as a safe store for tokens.
384+
385+
In this architecture, a service worker intercepts calls from the frontend to the resource server. As such, it completely isolates calls to the authorization server from XSS attack surface, as all tokens and PKCE secrets are safely kept there without any access from other JavaScript contexts. The service worker is then solely responsible for adding authentication headers to calls to the resource server.
386+
387+
Resource Authorization
388+
User Application Service Worker server server
389+
| browse | | | |
390+
| ------------>| | | |
391+
| |-------------------> | /authorize |
392+
| | -------------------------------------------------------->
393+
| | | redirect + authorization code |
394+
| | < - - - - - - - - - - - - - - - - - - - - - - - - - - - |
395+
| | | auth code |
396+
| | | -------------------> /token |
397+
| | | ------------------------------------------------------>
398+
| | resource request | <- - - - - - - - - - - - - - - - - - - - - - - - - - -|
399+
| |-------------------> resource request with token | |
400+
| | | ---------------------------->| |
401+
| | | | |
402+
User Application Service Worker Resource Authorization
403+
server server
404+
405+
#### Security Considerations
406+
* The service worker MUST initiate the OAuth 2.0 Authorization Code grant with PKCE itself.
407+
* The service worker MUST intercept the authorization code when the *authorization server* redirects to the application. This makes this architecture completely safe from token or session leaks in case of XSS.
408+
* The service worker implementation MUST then initiate the token request itself.
409+
* The service worker MUST not transmit tokens, authorization codes or PKCE secrets (e.g. code verifier) to the frontend application.
410+
* The service worker MUST block /token or /authorize calls initiating from the frontend application in order to avoid any front-end side-channel for getting credentials: the only way of starting the authorization flow is through the service worker. This protects against re-authorization from XSS-injected code.
379411

380412
Authorization Code Flow {#authorization_code_flow}
381413
=======================

0 commit comments

Comments
 (0)