Given:
Asp MVC Core Client
JavaScript client hosted by ASP MVC Core
Asp Web Api
All are authenticating with IdentityServer
Problem
For a normal user the auth is done with asp core and the oidc client. I use the access token in asp core to access the api.
Now a javascript function wants to access the an authorized api and needs for this the access_token.
What is the best practice to have it in javascript
I see primarily two option
1.) I make a "silent" auth in javascript with a oidc client . (Feels like duplicate work)
2.) I store the access_token in a cookie where javascript could pick it up ( pot. unsecured)
3.) (Feels like a smell) Making an authorized endpoint like /me/token returning the access_token
What is the intended way in this scenario ?
You could render on an MVC view a script tag which configures your AJAX headers so you can add the authorization header with the access_token you have in MVC.
Tokens are secure due the facted they are signed so you can change them without knowing the key to sign and limited in time. Also tokens need to be verified before you should use them.
Related
I have a web application that is a single page Javascript (ReactJS) application with a .NET Core backend. I want to add Active Directory authentication and the Azure portal gives several choices, most noticeably signing in with Javascript or .NET Core.
In my situation, which should I choose and why?
My .NET Core code contacts the Azure IoT Hub, if that's any help to decide which way to go.
In my opinion , you should create a Login controller in your Dot net core solution where you should write your authentication and authorization feature. Here is how the complete flow would look like:
Create a new controller with an attribute ,call it LoginController, with login and other functionality . Protect it with Azure AD ( you will find many sources for the same)
Create a React app , which would internally raise a Fetch request to your controller for authentication.
Once the above request is completed successfully, store the JWT base token in session storage or in cookies.
Use the stored JWT token , for all you consecutive call
Please check below link for additional reference:
Active Directory Authentication with .NET Core Web API and React
Authentication in .net Core with ReactJS SPA
Hope it helps.
I'll put them in context first.
I am developing a Rest API using laravel and as an oauth2 authorization method using Laravel Passport as an implementation.
On the other hand I am developing a Javascript client (Single Page Application or SPA) that will consume the API Rest.
The situation is as follows:
Some API Rest endpoints must always be accessible by the client (a valid client since the API is not public) and other endpoints must only be accessible by the client when a user is logged in.
In a first approach what has been proposed is that when the SPA is initially opened in the browser, you get a Client Credential Grant Token so that it is a valid client and can make requests to the "Basic" endpoints of the API. Later, when a user logs in, a Personal Access Token will be generated which will allow the client to make requests to all endpoints of the API Rest.
I'm a little confused as to how to put this into practice.
I hope, please, you can help me.
I have two web applications (prototype) hosted on two sub-domains, example:
1) A CMS (done in PHP) at cms.mydomain.com.
2) A SPA - Singe page web application (done in JavaScript) at spa.mydomain.com.
My User case:
User can access CMS app and authenticate using Username and Password.
After authentication is successfully completed a web page with some items is presented on CMS app.
User can select an item and than open on a new window with SPA application.
At the moment, after authentication is completed in CMS app a Bearer Token is created, we are passing the TOKEN to the SPA app as query string in order to authenticate the User.
SPA app JavaScript retrieves the query string and other additional parameters and execute API call in order to function.
Notes:
We are using HTTPS on both applications.
SPA application can be accessed only after authentication in CMS.
SPA application which receive the token is on an .HTML file and API calls are made using JS only.
Bearer Token has validity of 14 days.
The token give full access to SPA application.
The token could be passed from CMD to SPA using also JS.
Tokens are generated by a third application api.mysite.com.
I am aware that TOKEN in query strings could be unsecured because:
URLs with their query strings parameters are saved in web server log, and access to them could compromise security.
Third party application like Google Analytic could store in their report such URLs and query string.
I would like to know your opinion on:
What could be a safe way to pass the token from CMS to APP without using query string?
I am thinking if Window.postMessage() could be used in CMS to send the token as message to SPA. Do you see any security issue with this approach?
What other risk I could encounter if using query strings (I need to convince my team query string is not a good approach - if true :) )?
Could you point me out some additional resource or guidelines?
Thanks for your time.
You could perhaps create a one-time access token to the SPA rather than sending the original bearer token as the query string.
This token could then be sent to the API, decoded and used to create the real auth token, but would have the advantage of only being valid once. Now you no longer need to worry about server logs, GA, etc. I suppose it's a form of redirection to alleviate those concerns.
I am building an MEAN JS application,I want to protect my application clientId and client secret in clientside angularjs application.Where can I store these details.How to provide security for this?
For user login I have to provide these and need to get access token...new to this help me..
Keeping client_secret at client side, you basically ruin the whole idea behind it.
So, say, Google asks client side apps to make an additional verifying call Google OAuth docs.
If you are able to make a request from server-side, after receiving token from oauth provider pass it to server side and send token and client_secret to receive user's data.
Actually, this is much more similar to Google's hybrid auth, which is considered to be more secure than common oauth
Assume you have 2 servers on 2 separate sub-domains called client.example.com and server.example.com, is it possible to authenticate a user using only client side-javascript on client.example.com (no server-side component) and only server-side code (restful json api only)?
A good practical example of this would be to create a client-side only twitter component that does things like post tweets which require authentication. (Right now twitter will open another window which uses their domain for the browser to send the appropriate cookies with the session_id, but assuming we can change that).