CryptoKey with IndexedDB to secure stateless authentication
Stateless authentication using e.g. JWT can be dangerous as they are non-revocable and can leak giving full access. But they are really flexible.
I'm considering a scenario where the issued JWT is bound to some asymmetric key pair. It could look as below:
- Asymmetric key pair (CryptoKey) is stored in browser in IndexedDb.
- User sends login request with hash of generated public key.
- Issued access token has claim 'proof_of_possession_hash'.
- Every request to resource server from browser to be authorized must use
Authorizationheader with access token andPoPheader which is JWT signed by CryptoKey (with very short lifetime, needed to complete ONE request)
The PoP token will contain claims: iss (access token owner), aud (resource server), method (HTTP method which will be used at resource server), jti (so resource server can occasionally revoke PoP)
I'm considering whether it has some issues, or whether is has advantages (security advantages) over just session cookies.
What firstly comes to my mind is that cookies are probably sent with every request and they are vulnerable to some web attacks. And when they leak, attacker has full access.
I will use local storage to store access tokens, and IndexedDB to store CryptoKey. If the private key cannot be exported, is there any way to get unauthorized access to user account, except situation where attacker can access data stored at user disk?
