Alternatives to plain access_token?

[FedericoHeichou]

I have a frontend with mod_auth_openidc and a backend API with mod_oauth2. I'm using Keycloak.

Actually I use /redirect_uri?info=json in the frontend, I get the access_token and add it to the Authorization, then I send the request to the backend API.

But if a XSS in the frontend happens an attacker can steal the access_token jwt everytime it expires and using the stolen jwt for different APIs in the same realm.

A solution would be using mod_auth_openidc in the backend, then share the same OIDCCacheType and use the session cookie (with credentials: same-origin) instead of access_token, but I'd prefer don't share it.

Another solution would be retrieve a encrypted access_token in ?info=json, send it to the backend, then decrypt it in the backend, but both mod_auth_openidc and mod_oauth2 seems doesn't support this feature.

Any suggestions?

[zandbelt]

XSS is always a problem; FWIW even encrypting an access token won't help in that case as the attacker would just use the encrypted token to access the API

[FedericoHeichou]

Sure, but it would only works in that specific backend, not in others that just validates JWT for authentication

Maybe is there a way to set the access_token in the frontend cookies HTTP only? In this way I could send them without let the js directly access it

[zandbelt]

Sure, but it would only works in that specific backend, not in others that just validates JWT for authentication

the backends should differentiate between tokens through scopes

[FedericoHeichou]

I think you are right, surely the scope has to be checked from the application, and it should be enough. I was thinking about bad APIs.

Do you think I should just ignore them?

Anyway to prevent XSS a bit I was thinking something like this

Header set Set-Cookie "access_token=%{OIDC_access_token}e; Path=/; Secure; HttpOnly; SameSite=None"

What do you think?

[zandbelt]

it does not prevent XSS in itself, and if XSS happens, the attacker will just call APIs from the app whilst the cookie is added automatically; which comes back to my original point on XSS...

[FedericoHeichou]

I said it wrongly, I would say "prevent stealing the token via XSS"
But you are right, if the token is valid only for that API the attacker can just call the API directly from the browser