0

I have a React App that is using implicit flow to authorize the user.

The flow goes like this: 1. If no access token or user info saved in sessionStorage - user gets redirected to the login page. 2. User logs in and gets redirected to the home page of React App. 2.1. When redirecting back to home page redirect URL already has access_token and id_token as part of url params. 3. React App saves access token and decodes id_token to get info about the user.

Now the problem is that if somebody steals redirect URL in 2.1. they can paste it in their browser and basically replay this login.

One of the solutions was to implement nonce.

https://auth0.com/docs/api-auth/tutorials/nonce

As per article above nonce should be stored in localStorage and once I get id_token back with nonce in it - I should validate it with original nonce from localStorage. But the attacker can do the following: 1. Take this id_token. 2. Decode it using any online tool. 3. Check what kind of nonce was in it. 4. Using Chrome Dev Tool modify hist localStorage with needed nonce.

Does anybody know any better ideas of preventing such attack?

Vadym
  • 3
  • 2

1 Answers1

0

The issue is real. This specific issue can be solved by having strict redirect URI validation between both identity sever and the application level at runtime but there are many more issues. This blog post from auth0 explains it. https://auth0.com/blog/oauth2-implicit-grant-and-spa/#The-Implicit-Grant

The oauth2.0 working group has published the best current practice where it is recommended to replace the implicit grant flow with Authorization Code flow+ PKCE. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-11

Community
  • 1
  • 1
Tanver Hasan
  • 1,687
  • 13
  • 12