Client-side Javascript Authentication Scheme - javascript

Assume you have 2 servers on 2 separate sub-domains called client.example.com and server.example.com, is it possible to authenticate a user using only client side-javascript on client.example.com (no server-side component) and only server-side code (restful json api only)?
A good practical example of this would be to create a client-side only twitter component that does things like post tweets which require authentication. (Right now twitter will open another window which uses their domain for the browser to send the appropriate cookies with the session_id, but assuming we can change that).

Related

Share token between different domains

I'm looking a way to securely share a token between one webapp with the front-end of a second webapp.
Environment details:
webapp.local: A PHP webapp that stories some data that are restricted to specific users. This webapp is accessible by VPN only.
otherwebapp.example: This is a Zendesk instance, it allows us to create a plugin (HTML + JavaScript) that is loaded on the client-side.
Notes:
webapp.local and otherwebapp.example use different domains (they aren't sub-domain).
otherwebapp.example is not able to access the webapp.local. But the front-end will be able (the user are connected to the VPN).
I did some research, and found some options:
HTTP Coockies: the "SameSite" need to be "None" (reference), is it a secure option? I did some tests and seems that they need to be on the same sub-domain.
JS postMessage: It will need to open a popup or a iframe, I did some tests but still trying to make it works.
The question is:
Is there a best practice or another way to share a sensitive data (token) between a webapp and a front-end located on other domain/app?
I think there is not a fully secure way to do it because you want to handle the share on the client side and that will be always exposed, though you can take a different approach like share a request token via GET param to the second webapp and there call a validation API that validates the origin of the request (should be restricted to the second webapp domain) and also validate the passed token and then return the actual session token.

Best security practices for OAuth 2 authentication in a Javascript application

I've a REST API, with an OAuth 2 authentication mechanism (FOSOAuthServerBundle on a Symfony 3 application).
To get/refresh a token, the URL look like : https://api.example.com/oauth/v2/token?grant_type=[password|refresh_token]&client_id=[client_id]&client_secret=[client_secret]&username=[username]&password=[password]
This works great on server-to-server calls, but can't be applied on Javascript apps.
How can implement API Oauth 2 authentication from a front application ? (JWT is not present on the server).
In the context you described, the best option (if not able to change the api) is to create a thin proxy to add another layer of protection to your token.
Given you are probably a javascript developer, you can easily use AWS API Gateway + Lambda to create that without needing a server.
A server dies every time someone implements OAuth in a single page is
web-app. Stop the genocide! Use a server side proxy! Act now!
— Alex Bilbie (#alexbilbie) (https://github.com/alexbilbie/alexbilbie.github.com/blob/master/_posts/2014-11-11-oauth-and-javascript.md)

IdentityServer Authentication AspCore and Angular Client bestpractice

Given:
Asp MVC Core Client
JavaScript client hosted by ASP MVC Core
Asp Web Api
All are authenticating with IdentityServer
Problem
For a normal user the auth is done with asp core and the oidc client. I use the access token in asp core to access the api.
Now a javascript function wants to access the an authorized api and needs for this the access_token.
What is the best practice to have it in javascript
I see primarily two option
1.) I make a "silent" auth in javascript with a oidc client . (Feels like duplicate work)
2.) I store the access_token in a cookie where javascript could pick it up ( pot. unsecured)
3.) (Feels like a smell) Making an authorized endpoint like /me/token returning the access_token
What is the intended way in this scenario ?
You could render on an MVC view a script tag which configures your AJAX headers so you can add the authorization header with the access_token you have in MVC.
Tokens are secure due the facted they are signed so you can change them without knowing the key to sign and limited in time. Also tokens need to be verified before you should use them.

Access the force.com REST API with a pure Javascript page

I want to develop a front-end in Javascript (possibly with one of the fancy frameworks around such as AngularJS) that consumes the REST API of my Salesforce org.
I don't want to embed my project in Salesforce technologies, so basically
no Visualforce pages
no Force.com Sites
I do want to write my own front-end on a separate server that just makes AJAX calls to the Salesforce back-end.
In addition, I want the application to be accessible for any user, even if he/she does not have a Salesforce account. So the AJAX calls should not require that the user logs in on Salesforce. I want anonymous users to be able to retrieve public data from my organization and create new entries when it is useful (in the case of a survey for instance).
Even though these requirements generate some security concerns, I can imagine that Salesforce takes care about the requests rate limits on their API endpoints and that it is possible to restrict the access to the API on a host name base (e.g., only requests with origin host my-trusted-domain.com should be allowed, send a 403-Forbidden otherwise). I would be surprised if SF does not provide such basic features.
How would you proceed? Is there a minimal Javascript code that works out-of-the-box on any domain without getting into troubles with CORS?
All REST API calls to Salesforce must be authenticated. If you want anonymous API access then you will need to proxy authenticated calls through a server (like on Heroku) that adds the auth token. Or you can use Heroku Connect to expose your Salesforce data to a Heroku app as a Postrgres database.
If you go the REST route then checkout the ForceServer and my CORS Proxy for Salesforce. Both are not setup out-of-the-box for the anonymous access you are looking for but could easily be tweaked to support that use case.
BTW: When allowing anonymous access to your Salesforce data through a proxy make sure you are dealing correctly with security and request limits.

Pure Javascript Front-end connecting to a BaaS (Can it be done?)

I am quite determined to do a pure Javascript front-end (Using JS and GWT) connecting to a back-end using Ajax on a separate server. My concern is with security.
What could be a solution for a Pure Front-end application?
For example, a user-generated content site:
When we look at it at a perspective of an app that to gain access to it it needs to ask user to login, so here Oauth can take over. The app is authenticated properly and access to any content is based on the authorization given.
The problem is here: For an application that can allow anonymous users to view user generated content without logging in thus there is no chance for Oauth to take place.
Connecting to a BaaS:
There will be no Java middleware to store application key for Baas access (e.g. Kinvey etc.)
Even if obfuscated the application key can easily be snooped from the HTTP requests.
What could be a solution for a Pure Javascript front-end to connect to a BaaS or independent backend? In terms of securing application keys? Where Baas or independent backend can know if it is to serve data to the requesting client (even its a web app) since its not from the same domain.

Categories