Home > database >  Is client secret ever a secure method to refresh access token for an SPA in authorization code flow?
Is client secret ever a secure method to refresh access token for an SPA in authorization code flow?

Time:10-05

In the article at MSDN, it says that the following request needs to be performed to get a new access token using a refresh token for a web app.

POST /.../v2.0/token
Content-Type: application/x-www-form-urlencoded

?client_id=...
&scope=wide_and_proud
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFP...
&grant_type=refresh_token
&client_secret=hakuna_matata

It means that we'd need to distribute the client's secret to the frontend application, which, to me, opens a huge security gap. I want to argue that we should never-ever feed our SPA with the information on client's secret.

I've been googling it for a few days and all the resources somehow point to a case where we do provide client's secret. However, I can't shake of the sensation that it's not what's supposed to be applied in the case of an SPA authenticating using authorization code flow. However, I see no documentation specifically discussing the combo: "spa refresh token authorization code flow".

CodePudding user response:

You are right that the SPA should not use a client secret. It should also avoid use of refresh tokens. The problem is that the SPA has nowhere secure to store this information.

PKCE

An SPA is a public client and can use a one time use runtime secret rather than the client secret field. See this Proof Key for Code Exchange summary for details. This would solve the initial problem.

The Token Handler Pattern

If you want to go further, there is a wider issue is that an SPA needs a server component (API) that will look after its secrets and tokens. The SPA can then make a request such as this and the API can deal with sensitive data:

POST /login/end { url: location.href }

If this is done in an API driven manner it also fits very nicely with the goals of an SPA architecture, though it does add more moving parts. See these resources for further info:

Note also that this is a general design pattern. It will work with Microsoft and any other Authorization Server.

Token Handler First Steps

You could start with just these steps, which would also keep refresh tokens out of the SPA:

  • SPA calls API at /login/start to get the redirect URI
  • API sets a temp cookie with state PKCE parameters
  • SPA redirects and receives the response
  • SPA calls API again, at /login/end
  • API then supplies the client secret to the Authorization Server
  • API stores refresh tokens in a secure cookie
  • API returns short lived access tokens to the SPA
  • Related