All geek questions in one place

Permanent Login Based OAuth / OpenID

We have a regular cookie-based authorization web application, and now we want to separate the interface and backend (api) in order to have a third-party public API. Thus, our backend will be on one domain and on another interface.

For authorization, we would like to switch to OAuth 2 with JWT . In this case, our frontend application will have to use access_token instead of a cookie session, and this poses a big old question:

How to Stay Logged In - The infamous Remember Me checkbox (Part II of Website Based Authentication )

From an OAuth2 perspective, our external application will use something between the resource ownerโ€™s Grid Credentials Credentials and the Implicit grant . This is closer to Credentials Credentials, because we are still going to use the usual registration form and will not redirect the user to another domain to log in. At the same time, it is closer to Implicit Grant, since all this will be only for the browser and JavaScript based on when the access_token is saved in the browser.

The RFC says the authorization server SHOULD NOT issue an update token if you use an implicit grant, and my question is that it is still valid in this when you really are not using 3-way OAuth, but your own api? Intuitively, I feel that having a refresh_token in a browser is a security hole, and I would like to confirm this with you guys, but that refresh_token seems to be the only way to work in login mode like cookies do.

UPD after comment by @FlorentMorselli:

OpenID specs still don't answer my question if I can only use refresh_token with a browser application

  • Google says they provide refresh_token only for access_type=offline
  • OpenID Connect Core says you cannot use update token with implicit stream
  • OpenID Connect Core says nothing about using refresh_token with Hybrid Flow
  • There's only one place that says something promising about refresh_token with Hybrid Flow, but nothing for sure

UPD2 thanks @reallifelolcat

It seems that OpenID Connect does not explicitly support the Grant Credentials of the resource owner , which means that you need to redirect user > to the OpenID Connect server to log in. Do you know if there is another authentication method with user credentials through OAuth 2.0?

I believe that the separation of api and frontend is becoming more common these days, and I would appreciate if you share how you solve this problem with permanent access, and if you completely remove it and force the user to re-login every X weeks.

Thanks!

+5
source share
1 answer

Access tokens and update tokens have nothing to do with login with OpenID Connect. . This is only for authorizing access to user profile information and, possibly, for authenticated service calls to your public API after the fact of logging in. Refer to the specification for the difference between the ID token and the access token.

If you intend to use OpenID Connect to log in, then from what you have written so far, it looks like you need to host your own OpenID (OP) provider, since you want to avoid switching to another domain for logging in

we will continue to use the usual registration form and will not redirect the user to another domain to enter.

If you want to be your own identity provider, you have more power. This means that you will have to deploy your own working instance of the OpenID Connect server complete with authorization and token endpoints.

Now this is the part that includes your permanent login. Your webapp browser will rely on the OP server you have. When a user tries to connect to your browser application using OpenID Connect, they will need to authenticate to your OP server. By viewing the OIDC stream, your browser application will receive an identification token containing an issuer / entity pair that identifies the user.

It is up to you to determine how the user accesses your OP server, but if the user at least allows the browser application: http://openid.net/specs/openid-connect-core-1_0.html#Consent then you You can save this consent for all future requests in this browser application for logging in and, therefore, maintain a constant logon.

You will need to think about how you are going to handle session management, but it looks like you already have some cookies so you can use it (see this answer: OpenID login mechanism - log in ). Otherwise, you will encounter a situation where your webapp browser should receive a new token all the time.

Also, as Florent noted, there are security considerations to consider when performing a public client thing that your browser-based web browser will use. Example: https://tools.ietf.org/html/rfc6749#section-10.16

+4
source

Source: https://habr.com/ru/post/1204689/

More articles:


All Articles