I would like to use a standalone OpenID Connect server (OIDC) in combination with JWT as an authorization token (access token in OIDC terms). JWT will be used to protect REST services, while the user interface is a combination of classic and single-page applications (Angular). Thus, the REST layer could perform authorization based on the JWT token without state preservation, therefore additional DB connections are not needed, as described here:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
For a one-page application, an implicit OIDC stream is suitable. However, I see a security problem when Implicit Flow is used in conjunction with stateless JTT tokens: tokens are delivered as part of the fragment in the URL, which means that they cannot be deleted (they are easily accessible in the browser history) and are invalid (they are stateless ) → there is no logout.
I see two options to mitigate this:
- Use very short tokens (max. Up to several minutes). This can make usability much more difficult.
- Use an authorization code stream using AJAX. This is not compatible with OIDC , but will make it possible to log out, as tokens will not be displayed in the URL.
The third option is to refuse stateless JTT tokens and use simple carrier tokens with database checks.
Did I miss something? What would you choose?
source share