Is there any security concern if I sent the security token, issued from a trusted IdP, to javaScript?

Question

Is there any problem if I sent the identity token, which has been issued from a trusted IdP, to javaScript code in order to use it in calling a web method with authentication?

Is there any security concern from doing that whether the token is encrypted or not!

In my case, there is a web application which is asking an IdP to authenticate users. I'm using a WCF web service with Ws2007FederationBinding in order to send the security token. Everything is fine when I call the service from the server, but now how can I consume it from the client side using JavaScript as well?

Answer 1

Ws2007FederationBinding is a SOAP binding with a SAML security token in the envelope. It will be very difficult to call a service with this binding from JavaScript.

This binding requires the client to talk to an STS to get the SAML token and prove it was the requester of that token (holder-of-key) to the service (relying party). This involves cryptographic operations that are hard to do in JavaScript.

The 'best' way to solve this issue is to create RESTful proxy services that your JavaScript layer talks to and have this REST service talk to the SOAP backend services. You should secure the REST services with a bearer token (JWT) and exchange it for a SAML token before you call your SOAP service.

You can use the JWT token handler class in .NET for the translation between JWT and SAML.

Answer 2

I'm not familiar with Ws2007FederationBinding. Considering that you need to do calls from the client side, I don't see a problem with embedding that token in the client.

I believe that's as the same when you need to use an external API and you have some kind of "auth" token associated to your service.