How to safely pass the token after authentication for angular application

11

I'm developing an angular addin for outlook - Office365 for a management application "Jasmin Software". The application is divided into two parts, A 1 is a javasscript application to handle authentication on the Aouth2 server, the second is the angular application itself.

Question: How can I securely pass the token returned after authentication to the angled application and then make the requests to the application.

My code after getting the response from the server is this:

    function getCallbackResponse(data) {

    var responseParameters = (data).split("&");
    var parameterMap = [];

    for (var i = 0; i < responseParameters.length; i++) {
        parameterMap[responseParameters[i].split("=")[0]] = responseParameters[i].split("=")[1];
    }

    if (parameterMap.access_token !== undefined && parameterMap.access_token !== null) {

        var oauth_response = {
                access_token: parameterMap.access_token,
                expires_in: parameterMap.expires_in
        };

        // ESTOU A USAR ISTO...MAS NÃO SEI SE A MELHOR FORMA?
        sessionStorage.removeItem('oauth');
        sessionStorage.setItem('oauth', JSON.stringify(oauth_response));

    } else {

        console.log('Problem authenticating');
    }
}
    
asked by anonymous 14.03.2018 / 18:06

1 answer

7

The most common is what you did: Save the token in session-storage and then access session-storage when you want to read it.

This is as secure as "saving a file on your pc", and only the client that received the token knows that you saved it to session-storage.

Another way to do this, and that is used in emails (pex), is to use a url with the token - and if the server recognizes the token then it is okay - if you do not discard this request as an error. >

If your concern is with MitM attacks, then your concern becomes: using SSL.

    
02.05.2018 / 17:33