Presenting authentication properties to the user or not?

[HansKindberg]

Hi

When talking about Spa's we need the BFF pattern to prevent storing secrets in the browser (one of the reasons). If we store secrets in the browser and someone succeeds with XSS / javascript injection they can "steel" an access-token for example. If we talk about any OIDC protected web applications, Spa or not, is it bad to present authentication properties for the user? I mean if we present sensitive information to the user and someone has succeeded with js injection they can steel secrets by searching the html DOM.

So in a production system, what authentication properties is it ok to present to the user? Or should I not present any authentication properties at all?

What I mean, is code like this https://github.com/DuendeSoftware/demo.duendesoftware.com/blob/main/src/Pages/Diagnostics/Index.cshtml#L39 ok in a production system or not?

Regards Hans

[wcabus]

Short answer: probably not.

While some of the authentication properties can be harmless, it is data belonging to the current user's session and exposing it could be dangerous. Especially when the properties contain tokens or session identifiers.

If you look at our UI template code for the Diagnostics page there, you'll notice that we only show the page if you visit the /diagnostics URL from localhost (or if you're local to the server hosting Duende IdentityServer).

[HansKindberg]

@wcabus

Thank you very much Wesley

I am satisfied with your answer and it’s good to know that I wasn’t off track.

Regards Hans