Angular-oauth2-oidc: Easy tampering with 'id_token_claims_obj' json data

Created on 31 May 2018  路  2Comments  路  Source: manfredsteyer/angular-oauth2-oidc

When you for example have a role claim that your angular application relies on to show/hide stuff it is currently possible to just tamper with the id_token_claims_obj in localstorage (or whatever storage your using) by adjusting the json string.

It might be a good idea to let getIdentityClaims() method always parse the IdToken for its data.

What do you think?

picture joeystdio

Most helpful comment

In an browser-based SPA showing/hiding stuff can IMHO never be about security. It's about usability b/c everyone can temper with everything, even the source code. The real security should take happen on the server side.

picture manfredsteyer on 1 Jun 2018
👍4 👎1

All 2 comments

In an browser-based SPA showing/hiding stuff can IMHO never be about security. It's about usability b/c everyone can temper with everything, even the source code. The real security should take happen on the server side.

manfredsteyer picture manfredsteyer on 1 Jun 2018
👍4 👎1

I agree on securing serverside as well but that鈥檚 not a reason to make it easier for a user to tamper with data in the browser by storing a token as readable json. It鈥檚 not for nothing that an issuer sends back a token and not a human readable json object.

joeystdio picture joeystdio on 1 Jun 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PaulienVa picture PaulienVa  路  4Comments
jeroenheijmans picture jeroenheijmans  路  3Comments
PandaaAgency picture PandaaAgency  路  3Comments
jeroenheijmans picture jeroenheijmans  路  4Comments
Swissbite picture Swissbite  路  4Comments