search

AzureAD / azure-activedirectory-library-for-js

The code for ADAL.js and ADAL Angular has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/adal-angular
Apache License 2.0
627 stars 374 forks source link

adal.js cacheLocation does not support cookieStorage #792

Closed ghost closed 5 years ago

ghost commented 6 years ago

Dear Team,

I am doing a security validation for a single page application. The application uses Azures recommended ADAL library to authenticate against an Azure AD.

As the IdToken provided by Azure is stored in either localStorage or sessionStorage, it can be intercepted by Cross Site Scripting. To my knowledge cookieStorage seems to be the best of the bad options to store the IdToken for a single page application. See Where to Store JWT & HTML5 Security Cheat Sheet

But in Microsoft's library cookieStorage is not supported. See /doc/adal.js

Is there any reason for this? Or can you recommend a workaround?

I am looking forward to your response.

Best, erosinger

nehaagrawal commented 5 years ago

@erosinger Whether we store our JWT in local/session storage or not http-only cookie both can be grabbed easily by XSS. Cookies are also vulnerable to cross-site request forgery (CSRF). There is also an issue with max size of the cookie which could be problematic if we have many claims attached to the token.

nehaagrawal commented 5 years ago

@erosinger I am closing this issue for now. If you still have questions, please feel free to reopen this issue.

Enosinger commented 5 years ago

@nehaagrawal Thanks for replying here. Your arguments sound good and we do not need to keep this open, if it has been thought about. Best, erosinger