Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways

Manfred Steyer
PRO
July 03, 2023
Programming
0
720

Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways

Manfred Steyer
PRO

July 03, 2023
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Successful with Signals: 3 Effective Rules @FrankenJS
manfredsteyer
PRO
0
110
The New NGRX Signal Store for Angular 3+n Flavors @enterJS 2014 in Darmstadt
manfredsteyer
PRO
0
90
Native Federation: The Future of Micro Frontends in Angular
manfredsteyer
PRO
0
170
The New NGRX Signal Store for Angular: 3+n Flavors of the Signal Store
manfredsteyer
PRO
0
75
Micro Frontends with Modern Angular and Island Architectures @ijs London 2024
manfredsteyer
PRO
0
110
Modern State Management in Angular: 3+n Flavors of the Signal Store @ijs London 2024
manfredsteyer
PRO
0
95
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
260
Migrating to Signals: A Practical Workshop
manfredsteyer
PRO
0
450
Micro Frontends with Web Standards
manfredsteyer
PRO
1
330

Other Decks in Programming

See All in Programming
freeeのエンジニアが 就活で出そうな コーディングテストを 解説してみる
freee
1
170
Exploring Type-Informed Lint Rules in Rust based TypeScript Linters
unvalley
3
650
How to implement a RubyVM with PHP?
memory1994
PRO
2
720
Using "modern" Ruby to build a better, faster Homebrew
mikemcquaid
2
280
AmperとFleetを使ったAndroidアプリ
yoppie
0
300
Enjoy Creative Coding with Ruby (RubyKaigi2024)
chobishiba
0
800
Open standards for building event-driven applications in the cloud
meteatamel
0
230
一文字エイリアスのすすめ
fujimura
0
200
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
74k
GitHub Actionsの痒いところを埋めるサードパーティーランナー
dora1998
2
280
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
160
JavaScript Closure
asoluka
0
2k

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
BBQ
matthewcrist
80
8.8k
Web Components: a chance to create the future
zenorocha
306
41k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Statistics for Hackers
jakevdp
790
220k
Typedesign – Prime Four
hannesfritz
36
2.1k
Docker and Python
trallard
35
2.7k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
The Cult of Friendly URLs
andyhume
74
5.7k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k

Transcript

  1. @ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io

  2. @ManfredSteyer @ManfredSteyer

  3. @ManfredSteyer

  4. @ManfredSteyer

  5. @ManfredSteyer OAuth2 Folie▪ 5 Client Authorization-Server Resource-Server

  6. @ManfredSteyer OAuth2 Folie▪ 6 Client Authorization-Server Resource-Server 1. Redirection 2.

    Redirection w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  7. @ManfredSteyer

  8. @ManfredSteyer

  9. @ManfredSteyer Manfred Steyer

  10. @ManfredSteyer

  11. @ManfredSteyer @ManfredSteyer

  12. @ManfredSteyer Implicit Flow Folie▪ 12 Client Authorization-Server Resource-Server 1. Redirection

    2. Access-Token 3. Access-Token

  13. @ManfredSteyer OpenId Connect Folie▪ 13 Client Authorization-Server Resource-Server 1. Redirection

    2. Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC) Format: JSON Web Token (JWT)

  14. @ManfredSteyer

  15. @ManfredSteyer @ManfredSteyer

  16. @ManfredSteyer @ManfredSteyer

  17. @ManfredSteyer Current Best Practices Documents Advice Against Implicit Flow

  18. @ManfredSteyer Implicit Flow Folie▪ 18 Client Authorization-Server Resource-Server 1. Redirection

    2. Access-Token 3. Access-Token

  19. @ManfredSteyer

  20. @ManfredSteyer

  21. @ManfredSteyer Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server

    1. Redirection 2. Redirection w/ Code

  22. @ManfredSteyer Code Flow w/ OIDC Folie▪ 22 Client Authorization-Server Resource-Server

    3. AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  23. @ManfredSteyer Code Flow + PKCE w/ OIDC Folie▪ 23 Client

    Authorization-Server Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier)

  24. @ManfredSteyer Code Flow + PKCE w/ OIDC Folie▪ 24 Client

    Authorization-Server Resource-Server 3. AJAX Code + verifier 4. Response w/ Access-Token and Id-Token 5. Access-Token Hash(verifier)

  25. @ManfredSteyer @ManfredSteyer

  26. @ManfredSteyer DEMO

  27. @ManfredSteyer

  28. @ManfredSteyer @ManfredSteyer

  29. @ManfredSteyer Why Token Refresh? Short living tokens increase security Users

    don't want to login over and over again

  30. @ManfredSteyer Refresh w/ Cookie Folie▪ 30 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  31. @ManfredSteyer Alternative: Silent Refresh Folie▪ 31 Client Authorization-Server Resource-Server 1.

    Redirection in hidden iframe 2. Redirection w/ Code

  32. @ManfredSteyer Folie▪ 32 Client Authorization-Server Resource-Server 1. Redirection 2. Code

    for Access-Token und Id-Token and Refresh-Token Refresh Token

  33. @ManfredSteyer Refresh Token Folie▪ 33 Client Authorization-Server Resource-Server 3. Refresh-Token

    4. Code for Access-Token und Id-Token and new Refresh-Token

  34. @ManfredSteyer * in specific situations …

  35. @ManfredSteyer Refresh-Token and Browsers • OAuth 2.0 Security Best Current

    Practice allows it under specific circumstances • Security Audit (XSS!) • Refresh Token needs to be one-time token • After Refresh: Client gets new refresh toke

  36. @ManfredSteyer DEMO

  37. @ManfredSteyer

  38. @ManfredSteyer

  39. @ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie

    Static Files (SPA) + XSRF Token SameSite +

  40. @ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only

    Cookie Static Files (SPA) Resource-Server 2 ⁉️

  41. @ManfredSteyer

  42. @ManfredSteyer

  43. @ManfredSteyer

  44. @ManfredSteyer

  45. @ManfredSteyer // 1. Register Services var builder = WebApplication.CreateBuilder(args); […]

    builder.Services .AddAntiforgery([…]) .AddSession([…]) .AddAuthentication([…]) .AddCookie([…]) .AddOpenIdConnect([…]); YARP 101

  46. @ManfredSteyer // 2. Add Middleware app.UseSession(); app.UseAuthentication(); app.UseAuthorization(); app.UseCookiePolicy(); app.UseXsrfCookie();

    app.UseGatewayEndpoints(); app.MapReverseProxy([…]); // 3. Start Sever app.Run("http://+:8080"); YARP 101

  47. @ManfredSteyer

  48. @ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:

    https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway- client/blob/main/apps/flight-app/src/app/shared/auth.service.ts

  49. @ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic

    Implementation Token Refresh Easier + More Secure

  50. @ManfredSteyer

  51. @ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops