Is storage of tokens in browser localStorage insecure?
Closed this issue · 2 comments
Library
-
@azure/msal-angular@0.x.x -
@azure/msal-angular@1.x.x -
@azure/msal-angular@2.x.x
Description
I have noticed that tokens are stored in localStorage in the browser. Is this not vulnerable to Cross Site Scripting (XSS)? I have seen a lot of advice saying to not do this, as nothing stored on the browser is safe. Could an attacker not get the tokens from local storage and then just call my API maliciously? (deleting all my users todos, for example (gasp!))
Instead, some people have recommended validating the token on the server and then issuing an Cookie instead, but I don't know how to do this when using the Microsoft.Identity.Web library.
Any help appreciated.
Cheers
@EricEzaM storing tokens in browser storage is only one part of the story. Azure AD takes additional steps for increasing security. For instance, tokens assigned to SPAs have a 1hr only lifespan. Then there are a number of features for eliminating replay attacks, such as signing key rotation, multi-factor authentication, continuous access evaluation and etc. Of course, the API here also validates access tokens before granting access.
Ultimately, its a tradeoff between more security and better user experience. For example, session storage is more secure, but local storage gives you single-sign on between tabs. MSAL.js has an in-memory token storage option, and there is work on providing a secure storage option. In general, SPAs are not meant to be dealing with critical data access. In such cases you might want to use a web app or a SPA using on-behalf-of flow, for instance.
Let me know if that helps.
Closing due to inactivity. Let us know.