Authenticationandauthorizationinmodern

JavaScriptwebapplicationsHowhardcanitbe?

BrockAllenbrockallen@gmail.comhttp://brockallen.com

@BrockLAllen

Outline

• ConstraintswithJavaScriptwebapplications• Affectshowweimplementsecurity

• OpenID Connect• AuthenticationforJavaScriptwebapplications• AuthenticationandauthorizationtoAPIs

• Applicationconsiderations• Tokenvalidation• Tokenmanagement

Modern/PureJavaScriptapps

• Client• Browser-based• EntirelyJavaScript(SPA)• Dynamicrenderingallclientside

• Sever• Thinserver• Staticcontent(HTML,JS,CSS,etc.)• Ajaxendpoints(HTTPAPIs)

SecuringmodernJavaScriptapps

• Client• Whoistheuser

• Server• Whoisthecaller

• User• Client

?

?

?

Nomorecookiesforsecurity

• Cookiesarethetypicalapproachforserver-sideapplications• ButnotappropriateformodernJavaScriptapps

• Modernappsdon'thave/useserver-sideHTMLframework• SPAs(ormobileapps)aredoingtheUIclient-side

• APIscan'tusecookies• APImightbecross-domain• Cookiesdon'tmakesensefornon-browserclients• Cross-siterequestforgery(XSRF)securityissues

OpenID Connectforsecurity

• OpenID Connect(OIDC)modernsecurityprotocol• Designedformodernapplicationtypes(client-side,server-side,andmobile)

• Allowsforauthenticationtoclientapplication• Withid_token

• AllowsforsecuringserverAPIs• Withaccess_token

AuthenticationinJS-basedapps

• OpenId Provider(OP)• Issuestokens

• 1)ClientmakesrequesttoOP• Userauthenticates• Userconsents(optional)

• 2)OPreturnstoclient• Acceptidtoken• Clientvalidatesidtoken

bob

secret

id_token

Idtokens

• FormatisJSONwebtoken(JWT)eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt

Header Claims Signature{

"typ": "JWT","alg": "RS256","x5t": "mj399j…"

}

{"iss": "https://idsrv3","exp": 1340819380,"aud": "app1","nonce": "289347898934823",

"sub": "182jmm199","email": "alice@alice.com","email_verified": true,"amr": "password","auth_time": 12340819300

}

Validatingidtokens

• Stepstovalidate:1. Verifystate issameassentinrequest(preventsXSRF/replay)2. Base64Urldecodeid_token andparseintoJSON(formattingstep)3. Verifynonce issameassentinrequest(preventsXSRF/replay)4. Validatesignature ontoken(establishestrust[requirescrypto])5. Validateiss sameasissuerofOIDCOP(establishestrust)6. Validateaud sameasthisclient'sidentifier(preventsprivilegeescalation)7. Validateexp isstillvalid(preventsstaletokens)

OidcClient

• JavaScripthelperclassthatimplementsOIDCprotocol• Includesid_token validation

• Includingcryptoimplementation• Heavyuseofpromises

• http://github.com/IdentityModel/oidc-client-js• Alsoavailablevianpm

Moreidentitydata

• Mightneedmorethansub (subject)claim• scope usedtoaskformoreidentitydata

Moreidentitydatawithuserprofile

• Idtokenmightbecometoolarge• NeedstofitintoURL

• OIDCdefinesuserinfoendpoint• Ajaxcalltoloaduserprofile• RequiresauthorizationwithanaccesstokenobtainedinOIDCrequest

Requestingaccesstoken

• Add"token"toresponse_typeparametertoauthorizationendpoint• Morevalidationrequired(sameasbefore,plus):• Hashaccesstokenandcomparelefthalftoat_hash inidtoken(ensuresidtokenispairedwithaccesstoken)

id_tokenaccess_token

access_token

userprofile

id_tokentoken

Usingaccesstokentocalluserprofile

• AccesstokenpassedasAuthorizationHTTPrequestheader• ResponseisJSONofuserprofilebaseduponrequestedscopes

var xhr = new XMLHttpRequest();xhr.onload = function () {

var user_profile = JSON.parse(xhr.response);}

xhr.open("GET", user_profile_endpoint);xhr.setRequestHeader("Authorization", "Bearer " + access_token);xhr.send();

CallingotherwebAPIs

• APIsuseaccesstokenfromsameOIDCOP• Justneedtorequestmorescopes

access_token

access_token

JSON

scope:api1

Logout

• Throwawaytokensinclient• SigningoutofOIDCOP• MustmakerequesttoOP

• Postlogoutredirect• MustpassredirectURLaspost_logout_redirect_uri• Mustpassoriginalidtokenasid_token_hint

Tokenmanagement

• Tokenstorage• localStorage• sessionStorage• indexedDb

• Tokenexpiration• Accesstokensexpire(1h,10h,1d,30d,whatever)• Needawaytomanagethislifetime

• Waitfor401fromAPI• Renewpriortoexpiration

UserManager

• JavaScripthelperclasstomanagetokens,expirations,andrenewals• ImplementedintermsofOidcClient

• Partofoidc-client-js library

Renewingaccesstokens

• Unlikecookies,accesstokensdon'tslide• MustreturntoOIDCOPtoobtainnewaccesstoken

• Startfromscratch• Almostsameasstartingallover• Don'twanttolosethestateintheapp

• Popupwindow• Betterthanstartingover• Somewhatintrusive

• Hiddeniframe• Nicetradeoffforusability

Summary

• Cookiesaren'tappropriateformodernJavaScriptapps• XSRFissues

• OpenIDConnectistheoneprotocoltorulethemall• Allowsforauthenticationandauthorization

• Client-sideapplicationshavenon-trivialworktodo(dependingonrequirements)• Tokenvalidation• Tokenmanagement