How to log out using PKCE authorization flow?

不问归期 提交于 2021-01-29 08:40:37

问题


If I have an app and an api. If the app logs in through authorization server and sends the authorization: Bearer xxx header with each request, the api can verify the token locally. When the user logs out (through the auth server), but the token has not yet expired if someone retrieves this token they will be able to make requests (if the authentication of the token is done locally on the server), is that correct? If thats the case, why is such a logout flow considered secure?

Edit: Clarifying the main question: why PKCE flow is considered secure if when a user logs out their access token is still valid (given we do local token verification)


回答1:


BEHAVIOUR OVERVIEW

With OAuth there is a greater separation of concerns than in older standalone web apps:

  • You log into UIs
  • This is externalised to an Authorization Server
  • An access token is issued with a fixed / short lifetime
  • Access tokens are used as API message credentials
  • The access token can potentially be sent to other components and used from there

When you logout:

  • You remove tokens from your app
  • You redirect to tell the Authorization Server the user is no longer logged into any UI
  • This doesn't invalidate access tokens

TOKEN STORAGE

Tokens should be stored in private memory or protected storage so that attackers cannot access them easily. Your app then removes tokens as part of the logout process so that they are no longer available for attackers to try to access.

THREATS

The OAuth Threat Model has a section on stolen tokens, where it recommends the above storage and to keep tokens short lived. The most common industry default for an access token is 60 minutes.

The main risk of a malicious party stealing a token is via cross site scripting. XSS risks are not related to logout. Security testing should be performed regularly to ensure that XSS risks are mitigated.

BALANCE BETWEEN SECURITY AND PERFORMANCE

It may be possible for the UI to tell the Authorization Server that a token is revoked. However, the API would then need to call the Authorization Server on every API request to check for token revocation. This would lead to poor performance.

API ARCHITECTURE

I always aim to use Claims Caching and introspection in OAuth secured APIs, since it gives the actual API best control, along with good extensibility and performance.

With this in place, if you really wanted to make access tokens non usable after logout, without ruining performance, your UI could perform these actions as part of the logout process:

  • Revoke the access token at the Authorization Server (if supported)
  • Call APIs to ask them to remove cached claims for the access token



回答2:


Okta /introspect can tell you if active is true or false, you could check that on every request if you are not slamming the API https://developer.okta.com/docs/reference/api/oidc/#introspect




回答3:


It's hard to get access to the token, that's probably a good reason why it's not per definition insecure.

However, providing a logout option is a good idea. OAuth2 has a 'revoke' feature to make sure that tokens are revoked:

https://tools.ietf.org/html/rfc7009

Not every server supports this.



来源:https://stackoverflow.com/questions/62584885/how-to-log-out-using-pkce-authorization-flow

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!