2

-I have a SPA application in javascipt
-A webapi service .net -A token service in a same project .net

Problem 1

Spa application make an ajax request to token endpoints using grant_type password. in return it gets back a token that is saved in localstorage and later on used for authenticating webapi . 1. Is this the correct approach for SPA authentication ? 2. Is password grant type correct approach ? or I need to use some other flow to make it secure. In oauth documents it written it should not be used. 3 I am concerned about security of token as it can just be copied and pasted. How to secure it?

problem 2 Custom SSO with token service

Now i have an another application using same architecture . Like application A and B. Uses same archtecture. I want to use token service of application A to issues a token to application B to log into application B.

Token issued by A to application B can be dencrypted and I can create user identity.Now how can we login to application B as it also follows a token based approach . So here should I login to application B by creating a new local accesstoken issued itself using information from token issued by application A.

harmeet
  • 137
  • 1
  • 9

2 Answers2

2
  1. Is this the correct approach for SPA authentication ? 2. Is password grant type correct approach ? or I need to use some other flow to make it secure. In oauth documents it written it should not be used.

Using the resource owner password credentials grant is fine when developing your own application but defeats the whole purpose of OAuth2 when using it with third-party client applications, as it's the only flow where the user password is directly exposed to the client application (which breaks the principle of least privilege).

You may consider using the authorization code or the implicit flow instead, but it's not necessarily "more secure" and often considered as an overkill by people looking for a simple "token alternative" to password authentication.

3 I am concerned about security of token as it can just be copied and pasted. How to secure it?

Since you're developing a JS app, bearer tokens are directly accessible by the user. There's nothing you can do about that (it's similar to the security level of cookies, that can be easily copied and moved to a different environment by the user himself).

To protect access/refresh tokens against remote attackers, all you can do is making sure your JS app is not impacted by a XSS breach, that would allow stealing them or making malicious API calls on behalf of the user.

So here should I login to application B by creating a new local accesstoken issued itself using information from token issued by application A.

SSO won't really work with non-interactive flows like the resource owner password credentials grant, as the user is not logged in to the authorization server in this flow (i.e no session cookie is created when making a grant_type=password request).

You should consider setting up a central authorization/authentication server supporting an interactive flow like the authorization code or the implicit flow to support this scenario.

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • thanks a lot Pinpoint. I appreciate , that you helped on this – harmeet May 07 '16 at 17:13
  • when i login to authenication server i want to login to all the applications at the same time . Like application A, B and C . on login i want to fetch data from all the applications and want to show them in application A. Any hint on how can i achieve this using oauth or openid – harmeet May 07 '16 at 19:35
1

The OAuth2 protocol knows 4 "flows":

  • Client credentials
  • Resource owner
  • Implicit
  • Authorization code

The client credentials flow and the resource owner flow are valid to use in a machine 2 machine context. Like a daemon service, for example. Do not use these in a web context!

The implicit flow and the authorization code flow are human 2 machine flows. Like Kevin mentioned in the other post: The end-user is supposed to enter his credentials on the OIDC server/site, not on your site.

The implicit flow is considered not to be secure in a web context anymore.

To answer the question: Use the Authorization Code flow with PKCE to authenticate webapps. What this is, is explained in more detail here: https://bff.gocloudnative.org/concepts/what-is-pkce/.

Important to realise is that when you are using an OAuth2/OIDC server, the user is not logging in to your app. Instead the user is logging in to the OIDC/OAuth2 server and has a session there. This concept is called SSO.

This means that, when implemented correctly, when you have an unauthenticated user who navigates to app 1, "logs in there", and then navigates to app 2, the user is automatically logged in there too.

This works, because when you implement the authorization code flow, to log the user in, he must navigate to https://youridp.example/authorize?xyz. The user sees a login form here. When the user logs in, a cookie will be set on this domain. That's way your identity provider knows the user has logged in. Next, the identity provider redirects the users' browser back to your site and issues a token which you can use to access resources.

Now, when the user navigates to the second site, here too, the application will redirect to https://youridp.example/authorize?xyz. The identity provider will see a cookie has been set, so redirects automatically to the other site without showing a login form. That's how the other site obtains a token.

Unfortunately, using authorization code with PKCE in the front-end is not considered secure anymore. (Read this article, for example: https://medium.com/p/490545665125). Instead, you should consider implementing the BFF Security Pattern. Read how to implement it here: https://bff.gocloudnative.org/integration-manuals/quickstarts/identityserver4/quickstart/ and find a working example here: https://github.com/thecloudnativewebapp/GoCloudNative.Bff/tree/main/docs/demos

Hope this helps!

Clark Kent
  • 31
  • 4