Secure OAuth in Javascript

Chris Salij picture Chris Salij · May 26, 2011 · Viewed 9.9k times · Source

I have an api which uses OAuth 1.0a to authenticate applications using it. It's replacing an old api which used a number of custom built and hodge-podge calls which are being deprecated.

It's well known that OAuth 1.0a is not secure in (client-side) Javascript since it relies on the consumer secret being kept secret. Which is not possible since the source is always viewable.

We have browser extensions for Chrome, Firefox, IE and Safari which need to use this api in the future. These extensions are all written largely or entirely in Javascript, and hence the problem of security.

These extensions are in-house and so can have custom authentication methods to get their access tokens.

What I'm planning on implementing is the following:

  • The user logs into the website in the browser.
  • The website issues them a cookie with a session key.
  • Our extension then takes that cookie and passes it to the api.
  • The api validates that it is a valid & active session and issues the extension its access tokens.
  • These tokens last for a maximum of one hour before they expire.
  • There will also be lower rate limits on the javascript issued cookies.

It operates under the following assumptions:

  • If another application has access to your cookies, then they can impersonate you on the website anyway, so access to the api is no different.
  • All authentication methods still go through our control.
  • Regular expiry of tokens means that if they are compromised then there is a limited time for exploitation.

My question is, is this a secure method of restricting access to the api? Are there any better ones?

A couple of notes. I know for a fact that chrome extensions can ask for permission to access your cookies for a given site. I believe firefox extensions can do so too.

Obviously we don't want our cookies accessible via javascript on any page otherwise we'd expose ourselves to XSS attacks, so they need to only be accessible via extensions.

Answer

Teddy picture Teddy · Jun 9, 2011

I wrote a site that does OAuth login via javascript library for OAuth. This is the workflow:

  1. OAuth is only supported on browsers that have LocalStorage
  2. The login form will check LocalStorage for OAuth keys and try an OAuth login automatically if OAuth keys exist.
  3. There is a checkbox for "remember me" on login form, so a user can have OAuth tokens created for them on login.
  4. A successful login w/ remember me will:
    • find or create ClientApplication with the name equal to User Agent, and create the tokens if necessary
    • respond with a javascript tag in the HTML response. The javascript tag will call a javascript function with the tokens passed as arguments. This function will save the OAuth tokens to LocalStorage.
  5. An unsuccessful OAuth login attempt will:
    • respond with a javascript tag in the HTML response. The javascript tag will call a javascript function to clear the LocalStorage settings for OAuth tokens. This will prevent additional OAuth login attempts

There is some more detail to this process, I can tell you more about it if you want me to.