All geek questions in one place

JWT Authentication and Update Token Update

I am developing a REST application with its own authentication and authorization mechanism. I want to use JSON Web Tokens for authentication. Is the next valid and safe implementation?

  • The REST API will be designed to accept username and password and authenticate. The HTTP method used is POST, so there is no caching. In addition, SSL will be used during transit for security.
  • During authentication, two JWTs will be created - an access token and an update token. The refresh token will have a longer validity period. Both tokens will be written to cookies so that they are sent in each subsequent request.
  • Each time the REST API is called, tokens will be retrieved from the HTTP header. If the access token has not expired, check the user rights and allow access accordingly. If the access token has expired but the update token is valid, recreate the access token and renew the token with the new expiration dates (perform all necessary checks to ensure that the user’s authentication rights are not canceled) and sent back via cookies
  • Provide a REST API for logging out, which will reset the cookie, and therefore subsequent API calls will be rejected until you log in.

My understanding of update token:

Due to the presence of the update token, we can save a shorter validity period for the access token and often check (after the access token has expired) that the user is still allowed to log into the system.

Please correct me if I am wrong.

+7
source share
3 answers

The REST API will be designed to accept username and password and do authentication. The HTTP method used is POST, so no caching. In addition, to ensure security at the time of transit

Here's how to do it, so you're good here.

JWT - . . cookie,

, - JWT-, , CSRF, - + cookie , CSRF. localStorage "" .

API REST HTTP . , . , ( , ) Cookies

, , .

API REST , reset cookie , , API , .

API, cookie localStorage , .

express-jwt , ": [Token]", cookie. LocalStorage API IE8, .

Edit:

XSS CSRF, .

XSS - JS, , , JWT localStorage, , JWT cookie . httpOnly cookie , AJAX . , . , , , .

JS iframes, localStorage, , , .

CSRF , HTML- , cookie. , , . JWT localStorage , .

, , cookie httpOnly , , api.domain. com + app.domain.com , JWT - .

, !

+5

:

( ), .

, , .

, JWT - OAuth ( OAuth 2.0), .

( ) JWT ( auth-server , )... , , ;)

, (, , JWT), , JWT , , JWT:

  • - / (, )?
  • - (, )?
  • ...

, , , - (, / ). , JWT , JWT .

+1

. , , , - .

, , OAuth 2.0 " ". , , " ". , , - , :

  2. , .

  3. /, SPA .

  4. - .

  5. - .

  6. - SPA, cookie, . , , .

:

, " " ,

  1. .

  2. URL, .

  3. XSS-, .

SPA CSRF XSS. CSRF ] QWASP CSRF.

  1. . , XSS . , , XSS , , - , . , , secure httpOnly , XSS . , XSS , , XSS . ( , , , XSS )

  2. CSRF, , HttpClient Angular ( Angular HttpClient cookie non- HttpOnly ( , cookie), . ( SecureRandom Java). cookie HTTP ( GET & HEAD, - . CSRF - - - ), cookie. cookie , CSRF ,

  3. CSRF, referer , . referer non- , . SSL/TLS referrer . ( - ) referer

  4. HTTP- ​TRACE , httpOnly cookie httpOnly

  5. Strict-Transport-Security: max-age=<expire-time>; includeSubDomains​ Strict-Transport-Security: max-age=<expire-time>; includeSubDomains​ , -- CSRF -

  6. The authorization server can also maintain a list of all issued pairs of access tokens, updates the client IP address, CSRF token values, so if necessary, you can perform the following actions from the server:

    • revoke a specific client's update token

    • check if the update request comes from an IP address other than the original login IP address (which could be a potential attack)

0
source

Source: https://habr.com/ru/post/1666608/

More articles:


All Articles