Is there any problem if I sent the identity token, which has been issued from a

Question

Is there any problem if I sent the identity token, which has been issued from a trusted IdP, to javaScript code in order to use it in an Ajax call to a web method with authentication?

Is there any security concern from doing that whether the token is encrypted or not!

In my case, there is a web application which is asking an IdP to authenticate users. I'm using a WCF web service with Ws2007FederationBinding in order to send the security token. Everything is fine when I call the service from the server, but now how can I consume it from the client side using JavaScript as well?

Explanation / Answer

I see two possible attack vectors.

eavesdropping
cross site scripting vulnerabilities in your web application

When the token isn't transmitted via HTTPS, it can be intercepted and used by an eavesdropper. To prevent this, enforce https for all communication.

When the HTML document includes any data from a 3rd party, you need to be weary of XSS injections. When an attacker is able to smuggle JavaScript code into the page which is executed, it can access any data in any JavaScript application embedded in that HTML document and send it to any other website. To prevent this from happening, make sure that all your web applications sanitize any user-provided strings properly. You might also want to inform your users that your website does not have any hidden features which can be unlocked by entering some cryptic codes into the developer console.

Also keep in mind that you can not prevent the user from finding out about their own token. When you need to protect the token from being discovered by the user it is issued to, you will need to find a different solution.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.