Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Rethinking Auth for SPAs and Micro Frontends: ...

Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways

Manfred Steyer

July 03, 2023
Tweet

More Decks by Manfred Steyer

Other Decks in Programming

Transcript

  1. @ManfredSteyer OAuth2 Folie▪ 6 Client Authorization-Server Resource-Server 1. Redirection 2.

    Redirection w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
  2. @ManfredSteyer OpenId Connect Folie▪ 13 Client Authorization-Server Resource-Server 1. Redirection

    2. Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC) Format: JSON Web Token (JWT)
  3. @ManfredSteyer Code Flow w/ OIDC Folie▪ 22 Client Authorization-Server Resource-Server

    3. AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token
  4. @ManfredSteyer Code Flow + PKCE w/ OIDC Folie▪ 23 Client

    Authorization-Server Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier)
  5. @ManfredSteyer Code Flow + PKCE w/ OIDC Folie▪ 24 Client

    Authorization-Server Resource-Server 3. AJAX Code + verifier 4. Response w/ Access-Token and Id-Token 5. Access-Token Hash(verifier)
  6. @ManfredSteyer Folie▪ 32 Client Authorization-Server Resource-Server 1. Redirection 2. Code

    for Access-Token und Id-Token and Refresh-Token Refresh Token
  7. @ManfredSteyer Refresh-Token and Browsers • OAuth 2.0 Security Best Current

    Practice allows it under specific circumstances • Security Audit (XSS!) • Refresh Token needs to be one-time token • After Refresh: Client gets new refresh toke
  8. @ManfredSteyer // 1. Register Services var builder = WebApplication.CreateBuilder(args); […]

    builder.Services .AddAntiforgery([…]) .AddSession([…]) .AddAuthentication([…]) .AddCookie([…]) .AddOpenIdConnect([…]); YARP 101
  9. @ManfredSteyer // 2. Add Middleware app.UseSession(); app.UseAuthentication(); app.UseAuthorization(); app.UseCookiePolicy(); app.UseXsrfCookie();

    app.UseGatewayEndpoints(); app.MapReverseProxy([…]); // 3. Start Sever app.Run("http://+:8080"); YARP 101
  10. @ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:

    https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway- client/blob/main/apps/flight-app/src/app/shared/auth.service.ts
  11. @ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic

    Implementation Token Refresh Easier + More Secure