Hashicorp Vault for storage of secrets for public javascript client

[John Stafford]

Hi. I have a few questions in regards to storing a secret for a public javascript client.

1) Can I ensure that only clients using my javascript front end (Angular 4) are able to get access to my secret stored in a node-vault  on my server (i.e. no direct access to vault via REST API outside my server)? 

2) If vault secrets are accessed via a REST API, using the normal http way of accessing stuff in Rx JavaScript for Angular 4 should work, correct? 

3) I already have a use case for Vault for my serverside Java app. Could I use this vault as well for my javascript client?

Thanks.

John

[Jason Antman]

John,

1) This question is somewhat confusing to me. Maybe this is my ignorance, but isn't Angular a client-side javascript framework, i.e. for the browser? I can think of two possible scenarios here: (a) you have a server-side component to your app that runs on the same "machine" (physical, VM, container, whatever) as Vault, and accesses the secret on behalf of the client; in this case, you'd simply have the Vault server process listen on 127.0.0.1, or some other local interface, or firewall off the Vault port from the outside. (b) You want Angular, actually running in a client browser, to access Vault directly. In that case, your client will need to have a network path to the Vault server, or else you'll need something to proxy between the client and Vault. But also keep in mind that every HTTP request to Vault must be authenticated, so if you're making Vault requests directly from client-side code, you'll also need to figure out how to authenticate that client to Vault and secure its token.

2) I'm not familiar with Rx JavaScript for Angular 4, but I can't imagine anything that can handle HTTP and wouldn't work with it. You sent a HTTP request to a specific path with some specific headers, and get back a response. The API is pretty well documented, and there two NodeJS client library examples that you can take a look at: https://www.vaultproject.io/api/libraries.html#node-js

3) yes, Vault has one HTTP(S) API; you can access the same Vault server from any language that can make HTTP requests. We have clients accessing our Vault cluster from Ruby, Python, Java, Groovy and via curl.

I'm not sure what your exact use case is, but it sounds (from questions 1 & 2) like you're talking about accessing Vault directly from client-side (i.e. in-browser) code. Keep in mind that means your client will need to have a Vault token to make requests directly to Vault, and that Vault token will need to be appropriately secured (i.e. anything that can grab your client's token can impersonate the client). Personally, for something like this, I'd be much more inclined to have my server-side component handle reading from and writing to Vault, and keep that out of the client code alltogether...

-Jason Antman

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b0ec749f-ca2c-4ea7-a1c3-0db58e209c3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[John Stafford]

Thank you for your response Jason. So, Questions #2 and #3 have been answered by you, but still was hoping for more clarity on #1 by you or someone else. 

Here is my scenario. I am using an Angular 4 Single Page Application front end that communicates with my Java server side app via REST. Pretty standard these days. Much of this REST API is public and anonymous (no user authentication); however, I want to ensure that no direct access of my server side Java app happens outside of my Angular 4 client. I am interested in client authentication. I was looking at client credentials flow of OAuth2 to verify that ONLY my Angular 4 client is accessing my server side Java - Spring REST API. 

THE STORAGE OF THIS CLIENT CREDENTIALS PASSWORD IS MY USE CASE FOR VAULT.

Local Storage is where tokens like this are stored for SPA clients like this. I would assume the same for the Vault token. The only way it could be compromised is if someone stole it in a CSRF attack, but Angular 4 does take steps to mitigate these attacks with its built in DOM sanitizer. 

1a) I guess this is the answer to my initial question, Could an outside client get access to my Vault Token. No, unless there was a CSRF attack where it was stolen. Do you agree?

1b) My additional question is how would this token be generated for each person coming to my site? Since local storage is something in the browser, would the token be generated each time someone visits the site?

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Stuart Clark]

> Thank you for your response Jason. So, Questions #2 and #3 have been
> answered by you, but still was hoping for more clarity on #1 by you or
> someone else.
>
> Here is my scenario. I am using an Angular 4 Single Page Application front
> end that communicates with my Java server side app via REST. Pretty
> standard these days. Much of this REST API is public and anonymous (no
> user
> authentication); however, I want to ensure that no direct access of my
> server side Java app happens outside of my Angular 4 client. I am
> interested in client authentication. I was looking at client credentials
> flow of OAuth2 to verify that ONLY my Angular 4 client is accessing my
> server side Java - Spring REST API.
>
> THE STORAGE OF THIS CLIENT CREDENTIALS PASSWORD IS MY USE CASE FOR VAULT.
>
> Local Storage is where tokens like this are stored for SPA clients like
> this. I would assume the same for the Vault token. The only way it could
> be
> compromised is if someone stole it in a CSRF attack, but Angular 4 does
> take steps to mitigate these attacks with its built in DOM sanitizer.
>
> 1a) I guess this is the answer to my initial question, Could an outside
> client get access to my Vault Token. No, unless there was a CSRF attack
> where it was stolen. Do you agree?
>
> 1b) My additional question is how would this token be generated for each
> person coming to my site? Since local storage is something in the browser,
> would the token be generated each time someone visits the site?
>

So you have a REST API and you are trying to prevent access to it unless
they are using your front end app?

I'm not quite sure what you are hoping Vault would do here. Are you
suggesting adding authentication to the REST API with Vault containing the
secret to access it?

To access Vault you (as a user of the Vault API) need to authenticate. So
you could use one of the authentication mechanisms to allow the end user
to login (with them giving username/password, using LDAP credentials or
Github details for example). You could then record which users access the
REST API and restrict users if you wished.

However you mention not having user authentication.

So I'm guessing you are wanting a way of authenticating the actual front
end app is being used (rather than someone hitting the REST API directly).

If so, I don't think Vault has anything to offer here, and indeed that is
pretty much impossible. There is no secure way to store secrets within the
app's code (because people can read that code freely) and so a user could
mimic your front end app pretty easily.

If this isn't your intention would you mind explaining what you are trying
to do in more detail?

Thanks

>>> email to vault-tool+...@googlegroups.com <javascript:>.

>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/vault-tool/b0ec749f-ca2c-4ea7-a1c3-0db58e209c3f%40googlegroups.com

>>> <https://groups.google.com/d/msgid/vault-tool/b0ec749f-ca2c-4ea7-a1c3-0db58e209c3f%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .

>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/fc617759-569f-4a9c-a508-1904f7f1ea23%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
Stuart Clark

[John Stafford]

Hi Stuart , thank for your response. 

Yes, no user authentication or LDAP security is going to be needed here. This part of my API is anonymous where anyone can visit the page, i.e. no user authorization restrictions.

I want to store the client password in vault so that only my Angular 4 client can have read access to this and pass the needed credentials to my backend. Verifying a client like this is part of the client credentials flow of OAuth2 and is used for verifying clients. I just have to store this password securely in vault and ensure that the vault token is generated and available for my angular 4 client when someone visits the site.

I realize javascript clients are not secure, but I was hoping to only have read access to vault for only my angular 4 client. Generating and storing this vault token in local storage seems to me to be a viable option.

[Stuart Clark]

How would you be expecting to authenticate with Vault?

You mention storing a token in local storage, but where would this be sourced from?

If there is no user authentication I'm not sure what would prevent anyone obtaining a Vault token and therefore being able to access the secret you are storing.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[John Stafford]

It is the client that is authenticating, and not the user. This would source the token with its read access and then store this in local storage.

Doesn't this make sense? If not, could someone else give me feedback on using vault to securely store the client credentials password. When the angular client makes calls to the server side app, it uses its read access to vault to retrieve the password, and passes the client id and password back to the OAuth2 secured app that verifies the client.

[John Stafford]

Couldn't I verify that the vault is listening on a local port and that it generates a vault token only when called by angular client?

On Sep 12, 2017 5:21 PM, "John Stafford" <john.howar...@gmail.com> wrote:

It is the client that is authenticating, and not the user. This would source the token with its read access and then store this in local storage.

Doesn't this make sense? If not, could someone else give me feedback on using vault to securely store the client credentials password. When the angular client makes calls to the server side app, it uses its read access to vault to retrieve the password, and passes the client id and password back to the OAuth2 secured app that verifies the client.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/xanhmrxzjr8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d894c5a5-440e-4656-8583-01565f11660b%40googlegroups.com.

[Stuart Clark]

This bit is the problem.

How would you ensure you are only giving a token to someone running your frontend javascript?

[John Stafford]

Hi Stuart. Thanks for your response. Well, that's where my inexperience with Vault may need help. I thought you could configure Vault to listen to specific ports that want access to secrets stored in it. That was what I thought.

I am also looking at just using a basic firewall for preventing third party clients that are not mine from accessing my public anonymous api. This may be the route I have to go.

On Wednesday, September 13, 2017 at 2:17:56 AM UTC-5, Stuart Clark wrote:

On 12 September 2017 23:27:46 BST, John Stafford <john.howar...@gmail.com> wrote:

Couldn't I verify that the vault is listening on a local port and that it generates a vault token only when called by angular client?

On Sep 12, 2017 5:21 PM, "John Stafford" <john.howar...@gmail.com> wrote:

It is the client that is authenticating, and not the user. This would source the token with its read access and then store this in local storage.

Doesn't this make sense? If not, could someone else give me feedback on using vault to securely store the client credentials password. When the angular client makes calls to the server side app, it uses its read access to vault to retrieve the password, and passes the client id and password back to the OAuth2 secured app that verifies the client.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/xanhmrxzjr8/unsubscribe.

To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d894c5a5-440e-4656-8583-01565f11660b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.