Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways

Transcript

1. @ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io

2. @ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server

3. @ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect

   w/ (Code for) Access-Token 3. Access-Token

4. @ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect

   w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)

5. @ManfredSteyer

6. @ManfredSteyer

7. @ManfredSteyer Manfred Steyer

8. @ManfredSteyer

9. @ManfredSteyer

10. @ManfredSteyer

11. @ManfredSteyer Several suggestions for using OAuth 2 in a more

    secure way

12. @ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit

    Flow

13. @ManfredSteyer Remaining Problem: XSS -> Stealing Tokens

14. @ManfredSteyer

15. @ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users

    don't want to login over and over again

16. @ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code

    for Access-Token und Id-Token and Refresh-Token

17. @ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code

    for Access-Token und Id-Token and new Refresh-Token

18. @ManfredSteyer * in specific situations …

19. @ManfredSteyer

20. @ManfredSteyer

21. @ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie

    Static Files (SPA) + XSRF Token SameSite +

22. @ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only

    Cookie Static Files (SPA) Resource-Server 2 ⁉️

23. @ManfredSteyer

24. @ManfredSteyer

25. @ManfredSteyer

26. @ManfredSteyer

27. @ManfredSteyer // 1. Register Services var builder = WebApplication.CreateBuilder(args); builder.Services.AddReverseProxy()

    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy")); […] builder.Services .AddAntiforgery([…]) .AddSession([…]) .AddAuthentication([…]) .AddCookie([…]) .AddOpenIdConnect([…]); YARP 101

28. @ManfredSteyer // 2. Add Middleware app.UseSession(); app.UseAuthentication(); app.UseAuthorization(); app.UseCookiePolicy(); app.UseXsrfCookie();

    app.UseGatewayEndpoints(); app.MapReverseProxy([…]); // 3. Start Sever app.Run("http://+:8080"); YARP 101

29. @ManfredSteyer

30. @ManfredSteyer DEMO

31. @ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:

    https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/

32. @ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic

    Implementation Token Refresh & Exchange Easier + More Secure

33. @ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops