How to securely pass token after authentication to angular application

Asked

Viewed 464 times

8

I am developing an Angular Addin for outlook - Office365 for a management application "Jasmin Software". The application is divided into two parts, A 1 is a javasscript application to handle authentication on the Aouth2 server, the second is the angular application itself.

Question: How can I securely pass the returned token after authentication to the angular application and then make the requests to the application.

My code after getting the answer from the server is this:

    function getCallbackResponse(data) {

    var responseParameters = (data).split("&");
    var parameterMap = [];

    for (var i = 0; i < responseParameters.length; i++) {
        parameterMap[responseParameters[i].split("=")[0]] = responseParameters[i].split("=")[1];
    }

    if (parameterMap.access_token !== undefined && parameterMap.access_token !== null) {

        var oauth_response = {
                access_token: parameterMap.access_token,
                expires_in: parameterMap.expires_in
        };

        // ESTOU A USAR ISTO...MAS NÃO SEI SE A MELHOR FORMA?
        sessionStorage.removeItem('oauth');
        sessionStorage.setItem('oauth', JSON.stringify(oauth_response));

    } else {

        console.log('Problem authenticating');
    }
}
  • A common practice, regardless of the platform or app, is to encrypt the token. When you submit the request, you send the encrypted token.

  • Do you have any suggestions for an encryption algorithm??

1 answer

7


The most common is what you have done: Record the token in Session-Torage and then access Session-Storage when you want to read it.

This is as safe as "saving a file to your pc", and only the client who received the token knows that you saved it to Session-Torage.

Another way to do this, and that is used in emails (Pex), is to use a url with the token - and if the server recognizes the token then it is all right - if you do not discard this request as an error.


If your concern is with Mitm-type attacks, then your concern becomes: use SSL.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.