Security and PKCE
-
I'm curious to know which is the most secure/preferred option. The FusionAuth blog posts often mention using a proxy, but what about PKCE? Doesn't that help secure the auth flow?
-
Hiya,
PKCE is great and should be used if supported. This helps prevent authorization code replay attacks, as recommended here: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#page-6
Using a proxy and storing the access token on server side rather than javascript solves a different set of security concerns. Because access tokens are typically bearer tokens and are not sender constrained, anyone who gets them has access to whatever they grant access to.
This means that if your javascript has access to the token, so does any other javascript running on your page. If you are comfortable with that (you've audited all the javascript in all the libraries, and their dependencies to ensure that there's no security issues) then storing the access token may be ok.
Since that level of comfort with javascript libraries is not typical (do you know what is going on in the dependencies of your dependencies? many folks don't), we recommend one of two approaches:
- store the access token server side, and use the session to tie the client to the access token (what our blog posts typically do)
- store the access token in a secure, httponly cookie, so that it is not accessible to javascript, but is sent to any APIs. That's more fully fleshed out here: https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/
Of course, you alone know your security posture and what you're comfortable with, but that's what we recommend.