Spring OAuth2 Password Flow , Return JWT inside HTTP Only Cookie?

0
votes

I am using AuthorizationServerConfigurerAdapter to configure my OAuth2 password flow where I am successfully creating a JWT token. I am using my OAuth2 within my Spring REST backend and pairing it with my Angular 2 fronted.

I have read several articles (eg. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage) where people are putting the JWT inside a HTTP only cookie returned to the Angular front end to prevent XSS scripting and it is of interest to me. I am confused how to integrate or intercept my jwt being returned and place this inside a http only cookie and return it.

Any Suggestions?

John

1
springrestjwtoauth2
The article you linked to seems to advise sending the token back to the resource server in a cookie header, which removes any protection you might have had from XSS. You need to send tokens in an Authorization (or non-Cookie) header, even if you really insist on storing them in a cookie, and to do that the cookie has not be non-HTTP, which defeats the object somewhat.Dave Syer
Hi @DaveSyer we are just having the very same discussion around this article. Would you please mind to elaborate a bit more about what you mean when you say "sending the token in a cookie header removes any protection you might have had from XSS"? We think this cookie approach is rather cumbersome, and we would like to fully understand the caveats. Thanks!José Carlos

1 Answers

0
votes

I wouldn't recommend using password flow at all, especially in a browser client. OAuth2 was designed so that you can avoid that, and thus avoid giving user credentials to an untrusted agent. If you let go of password grants, you will find that a session cookie is just as secure as your JWT cookie proposal, and it works out of the box with no funny business on client or server.