Post on 16-Oct-2020
Authenticationandauthorizationinmodern
JavaScriptwebapplicationsHowhardcanitbe?
BrockAllenbrockallen@gmail.comhttp://brockallen.com
@BrockLAllen
Outline
• ConstraintswithJavaScriptwebapplications• Affectshowweimplementsecurity
• OpenID Connect• AuthenticationforJavaScriptwebapplications• AuthenticationandauthorizationtoAPIs
• Applicationconsiderations• Tokenvalidation• Tokenmanagement
Modern/PureJavaScriptapps
• Client• Browser-based• EntirelyJavaScript(SPA)• Dynamicrenderingallclientside
• Sever• Thinserver• Staticcontent(HTML,JS,CSS,etc.)• Ajaxendpoints(HTTPAPIs)
SecuringmodernJavaScriptapps
• Client• Whoistheuser
• Server• Whoisthecaller
• User• Client
?
?
?
Nomorecookiesforsecurity
• Cookiesarethetypicalapproachforserver-sideapplications• ButnotappropriateformodernJavaScriptapps
• Modernappsdon'thave/useserver-sideHTMLframework• SPAs(ormobileapps)aredoingtheUIclient-side
• APIscan'tusecookies• APImightbecross-domain• Cookiesdon'tmakesensefornon-browserclients• Cross-siterequestforgery(XSRF)securityissues
OpenID Connectforsecurity
• OpenID Connect(OIDC)modernsecurityprotocol• Designedformodernapplicationtypes(client-side,server-side,andmobile)
• Allowsforauthenticationtoclientapplication• Withid_token
• AllowsforsecuringserverAPIs• Withaccess_token
AuthenticationinJS-basedapps
• OpenId Provider(OP)• Issuestokens
• 1)ClientmakesrequesttoOP• Userauthenticates• Userconsents(optional)
• 2)OPreturnstoclient• Acceptidtoken• Clientvalidatesidtoken
bob
secret
id_token
Idtokens
• FormatisJSONwebtoken(JWT)eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature{
"typ": "JWT","alg": "RS256","x5t": "mj399j…"
}
{"iss": "https://idsrv3","exp": 1340819380,"aud": "app1","nonce": "289347898934823",
"sub": "182jmm199","email": "alice@alice.com","email_verified": true,"amr": "password","auth_time": 12340819300
}
Validatingidtokens
• Stepstovalidate:1. Verifystate issameassentinrequest(preventsXSRF/replay)2. Base64Urldecodeid_token andparseintoJSON(formattingstep)3. Verifynonce issameassentinrequest(preventsXSRF/replay)4. Validatesignature ontoken(establishestrust[requirescrypto])5. Validateiss sameasissuerofOIDCOP(establishestrust)6. Validateaud sameasthisclient'sidentifier(preventsprivilegeescalation)7. Validateexp isstillvalid(preventsstaletokens)
OidcClient
• JavaScripthelperclassthatimplementsOIDCprotocol• Includesid_token validation
• Includingcryptoimplementation• Heavyuseofpromises
• http://github.com/IdentityModel/oidc-client-js• Alsoavailablevianpm
Moreidentitydata
• Mightneedmorethansub (subject)claim• scope usedtoaskformoreidentitydata
Moreidentitydatawithuserprofile
• Idtokenmightbecometoolarge• NeedstofitintoURL
• OIDCdefinesuserinfoendpoint• Ajaxcalltoloaduserprofile• RequiresauthorizationwithanaccesstokenobtainedinOIDCrequest
Requestingaccesstoken
• Add"token"toresponse_typeparametertoauthorizationendpoint• Morevalidationrequired(sameasbefore,plus):• Hashaccesstokenandcomparelefthalftoat_hash inidtoken(ensuresidtokenispairedwithaccesstoken)
id_tokenaccess_token
access_token
userprofile
id_tokentoken
Usingaccesstokentocalluserprofile
• AccesstokenpassedasAuthorizationHTTPrequestheader• ResponseisJSONofuserprofilebaseduponrequestedscopes
var xhr = new XMLHttpRequest();xhr.onload = function () {
var user_profile = JSON.parse(xhr.response);}
xhr.open("GET", user_profile_endpoint);xhr.setRequestHeader("Authorization", "Bearer " + access_token);xhr.send();
CallingotherwebAPIs
• APIsuseaccesstokenfromsameOIDCOP• Justneedtorequestmorescopes
access_token
access_token
JSON
scope:api1
Logout
• Throwawaytokensinclient• SigningoutofOIDCOP• MustmakerequesttoOP
• Postlogoutredirect• MustpassredirectURLaspost_logout_redirect_uri• Mustpassoriginalidtokenasid_token_hint
Tokenmanagement
• Tokenstorage• localStorage• sessionStorage• indexedDb
• Tokenexpiration• Accesstokensexpire(1h,10h,1d,30d,whatever)• Needawaytomanagethislifetime
• Waitfor401fromAPI• Renewpriortoexpiration
UserManager
• JavaScripthelperclasstomanagetokens,expirations,andrenewals• ImplementedintermsofOidcClient
• Partofoidc-client-js library
Renewingaccesstokens
• Unlikecookies,accesstokensdon'tslide• MustreturntoOIDCOPtoobtainnewaccesstoken
• Startfromscratch• Almostsameasstartingallover• Don'twanttolosethestateintheapp
• Popupwindow• Betterthanstartingover• Somewhatintrusive
• Hiddeniframe• Nicetradeoffforusability
Summary
• Cookiesaren'tappropriateformodernJavaScriptapps• XSRFissues
• OpenIDConnectistheoneprotocoltorulethemall• Allowsforauthenticationandauthorization
• Client-sideapplicationshavenon-trivialworktodo(dependingonrequirements)• Tokenvalidation• Tokenmanagement