Scenario
Suppose a hacker using a single page webapp https://example.com?secure=maybe has authenticated and obtained a OpenID Connect token that is used to access micro services.
The hacker manages to fish these credentials out of the application. (Follow up question on that here)
The hacker creates another application running on localhost that loads the credentials obtained. The hacker also points localhost to https://example.com in /etc/hosts such that now opening the address https://example.com runs the hackers web application instead of the real one.
Question
Can the hackers application now use the OpenID Connect token to access the same microservices that the original application uses it for?
The obvious answer seems like no because https://example.com still resolves to the localhost ip address, and that's the only address that the browser knows to talk to, but just wanted to make sure that's the case by asking...
You can and perhaps should use the Authorization Code Grant with SPA apps along with the (Since there is no client Secret) Proof Key for Code Exchange by OAuth Public Clients.
来源:https://stackoverflow.com/questions/49725020/what-secures-access-credentials-inside-a-single-page-webapp-spa