info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Securing JWT (password grant flow)
14 views
Skip to first unread message
Vlad Suciu
May 17, 2017, 8:38:33 AM5/17/17
to
I'm currently implementing auth using JWT and I'm having some concerns about security. The application is written in react + golang(backend API)
Given the password grant flow this is how the application works:
User logins with his credentials and he is returned a short-lived JWT (without any sensitive informations) and a refresh token(long-lived). The refresh token is saved in the db(so that it can be revoked if necessary).
Given the fact that i store the tokens in local storage and the app is served via SSL, and the submitted form data on the client is santinized on the backend for protection against XSS, are there any other major security risks?
Alternatively i was also thinking to store the access token on local storage and the refresh token in a http only cookie(protected against CSRF). That way, if an attacker manages to get his hands on the access token, he will have a short window to perform his actions.
Given the password grant flow this is how the application works:
User logins with his credentials and he is returned a short-lived JWT (without any sensitive informations) and a refresh token(long-lived). The refresh token is saved in the db(so that it can be revoked if necessary).
Given the fact that i store the tokens in local storage and the app is served via SSL, and the submitted form data on the client is santinized on the backend for protection against XSS, are there any other major security risks?
Alternatively i was also thinking to store the access token on local storage and the refresh token in a http only cookie(protected against CSRF). That way, if an attacker manages to get his hands on the access token, he will have a short window to perform his actions.
0 new messages