Stream: smart
Topic: Security considerations for apps with a server component
adam strickland (Mar 25 2022 at 21:31):
I'm wondering if we should add more guidance to this best practices section on choosing an app architecture (public vs confidential).
My main concern is when an app that has both server and client components uses the public app profile, and specifically when they make their token endpoint request from their client-side.
For this discussion, I'm assuming the app has a server-component for a reason, and is looking to secure access to it through a SMART app launch.
adam strickland (Mar 25 2022 at 21:31):
Broadly, I think there are 2 ways a server-based app COULD use the SMART spec.
adam strickland (Mar 25 2022 at 21:33):
A. Server-Side Token Request:
- The client-side component sends the authorization code to it's server-side
- The server-side component redeems the authorization code from the authz server
- The authz server grants access (or not) to the server-side
- The server-side component completes the initial request, granting a session token to the client-side
oauth-session-Server-Good.drawio.png
adam strickland (Mar 25 2022 at 21:33):
B. Client-Side Token Request:
- The client side redeems the authorization code from the authz server
- The authz server grants access (or not) to the client-side
- The client-side uses the output of the grant in some request to the server-side
- The server-side grants a session token to the client-side based on that request
oauth-session-Server-Bad.drawio.png
adam strickland (Mar 25 2022 at 21:33):
Is the second method fundamentally insecure? Are there any RFCs/OWASP best practices we could link out to? At the very least I think we should link out to the OWASP session management cheat sheet, since at some point a server-side app will need to secure it's client-side.
adam strickland (Mar 25 2022 at 21:33):
Wanted to note that I still think it's OK to send access tokens up to your client-side from the server, but that should be secured by having a session token in the first place.
Josh Mandel (Mar 25 2022 at 23:15):
It would help to lay out some of the specific threats you are concerned about. Certainly in some situations it is fine to have an access token present in your client. The circumstances you're talking about in terms of session management in your second scenario seem very specific; I'm not sure we would have useful things to say but pointing to OWASP best practices sounds fine.
Last updated: Apr 12 2022 at 19:14 UTC
