This project implements a secure an OAuth2 Authorization Code client by using a Service Worker.
In case of successful XSS, with any security implementation (traditional session, OAuth2 with BFF, OAuth2 with Local/Session storage), it should be considered that complete compromise of the application has happened: any call to a backend API from the injected code will be authenticated with the credentials of the compromised user, be it with a cookie (which isn't inherently safe, see below) or a token.
As such, defending against XSS (and CSRF where it applies) is where most focus should be.
Still, some requirements make it important to protect credentials in case of XSS. As such, this project aims to offer a good degree of protection against stealing of credentials.
Service workers offer additional advantages when compared to other solutions:
- They are not vulnerable to stealing of authorization codes.
- Which in turn make them not vulnerable to stealing of session identifiers (tokens or cookies).
Access (and id, or worse, refresh tokens) can be accessed from injected code and transferred back to the attacker.
As such, if security beyond successful XSS is important, a secure flow involving service workers can be considered.