Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Auth for SPAs and Micro Frontends: ...

Manfred Steyer
PRO
May 18, 2022
Programming
0
710

Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways

Manfred Steyer
PRO

May 18, 2022
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Signal-Based Data Fetching With the New httpResource
manfredsteyer
PRO
0
23
Modern Angular: Renovation for Your Applications @angularDays 2025 Munich
manfredsteyer
PRO
0
97
Effective Signals in Angular 19+ Rules and Helpers
manfredsteyer
PRO
0
190
The Price of Micro Frontends … and Your Alternatives @bastacon 2025 in Frankfurt
manfredsteyer
PRO
0
460
Your Architecture as a Crime Scene: Forensic Analysis @bastacon 2025 in Frankfurt
manfredsteyer
PRO
0
180
Modern Angular with Signals and Signal Store New Rules for Your Architecture @bastacon 2025 in Frankfurt
manfredsteyer
PRO
0
200
Effective Signals in Angular 19+: Rules and Helpers
manfredsteyer
PRO
0
870
Effective Signals in Angular 19+: Rules and Helpers @ngbe2024
manfredsteyer
PRO
0
520
Your Architecture as a Crime Scene: Improvements with Forensic Analysis
manfredsteyer
PRO
0
30

Other Decks in Programming

See All in Programming
‘무차별 LGTM~👍’만 외치던 우리가 ‘고봉밥 코드 리뷰’를?
hannah0731
0
510
CRE Meetup!ユーザー信頼性を支えるエンジニアリング実践例の発表資料です
tmnb
0
150
PHPでお金を扱う時、終わりのない 謎の1円調査の旅にでなくて済む方法
nakka
3
960
イベントソーシングによってインピーダンスミスマッチから解放された話
tkawae
1
310
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
ivargrimstad
0
620
AI時代のプログラミング教育 / programming education in ai era
kishida
22
20k
Node.js, Deno, Bun 最新動向とその所感について
yosuke_furukawa
PRO
6
3k
Go1.24で testing.B.Loopが爆誕
kuro_kurorrr
0
140
아직도 SOLID 를 '글'로만 알고 계신가요?
sh1mj1
0
350
小さく段階的リリースすることで深夜メンテを回避する
mkmk884
2
120
RubyKaigiで手に入れた HHKB Studioのための HIDRawドライバ
iberianpig
0
180
複雑なフォームと複雑な状態管理にどう向き合うか / #newt_techtalk vol. 15
izumin5210
4
2.4k

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
30
1.1k
Designing Experiences People Love
moore
140
23k
Rails Girls Zürich Keynote
gr2m
94
13k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.3k
Gamification - CAS2011
davidbonilla
80
5.2k
Fireside Chat
paigeccino
37
3.3k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
102
18k
Why Our Code Smells
bkeepers
PRO
336
57k
A designer walks into a library…
pauljervisheath
205
24k
The Cost Of JavaScript in 2023
addyosmani
48
7.6k

Transcript

  1. @ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io

  2. @ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server

  3. @ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect

    w/ (Code for) Access-Token 3. Access-Token

  4. @ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect

    w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)

  5. @ManfredSteyer

  6. @ManfredSteyer

  7. @ManfredSteyer Manfred Steyer

  8. @ManfredSteyer

  9. @ManfredSteyer

  10. @ManfredSteyer

  11. @ManfredSteyer Several suggestions for using OAuth 2 in a more

    secure way

  12. @ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit

    Flow

  13. @ManfredSteyer Remaining Problem: XSS -> Stealing Tokens

  14. @ManfredSteyer

  15. @ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users

    don't want to login over and over again

  16. @ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code

    for Access-Token und Id-Token and Refresh-Token

  17. @ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code

    for Access-Token und Id-Token and new Refresh-Token

  18. @ManfredSteyer * in specific situations …

  19. @ManfredSteyer

  20. @ManfredSteyer

  21. @ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie

    Static Files (SPA) + XSRF Token SameSite +

  22. @ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only

    Cookie Static Files (SPA) Resource-Server 2 ⁉️

  23. @ManfredSteyer

  24. @ManfredSteyer

  25. @ManfredSteyer

  26. @ManfredSteyer

  27. @ManfredSteyer // 1. Register Services var builder = WebApplication.CreateBuilder(args); builder.Services.AddReverseProxy()

    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy")); […] builder.Services .AddAntiforgery([…]) .AddSession([…]) .AddAuthentication([…]) .AddCookie([…]) .AddOpenIdConnect([…]); YARP 101

  28. @ManfredSteyer // 2. Add Middleware app.UseSession(); app.UseAuthentication(); app.UseAuthorization(); app.UseCookiePolicy(); app.UseXsrfCookie();

    app.UseGatewayEndpoints(); app.MapReverseProxy([…]); // 3. Start Sever app.Run("http://+:8080"); YARP 101

  29. @ManfredSteyer

  30. @ManfredSteyer DEMO

  31. @ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:

    https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/

  32. @ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic

    Implementation Token Refresh & Exchange Easier + More Secure

  33. @ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops