Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookies AND Bearer Token in the same application

So, here is my situation. I have a web application where Users register and manage/view the data that is automatically generated every time they have a doctor appointment. At the same time, this User data is exposed to any approved Client (third party app) via an API. Also, these Clients may feed data into the API. So my web is a central repository of data of the Users that other Clients can consume/feed. That's ok.

Now, I want the User to create an account in my web application using Email and password (and not using FB or Twitter, etc), so that they can authenticate and authorize Clients to have access to their data. Typical Facebook-Twitter/Apps relationship.

My dilemma comes when I'm trying to implement the right Authentication/Authorization methodology for my website. In one hand, the web app will give access to their Users so they can see their data. Think of you login into Facebook using your email and password. This is done on MVC5 pretty much with some mini spa implementation... maybe, so I am thinking to use regular cookies here since it's all "internal". At the same time, I must implement OAuth/Bearer Token authentication when it comes to allow Cients access our users data.

I found this question here. Using bearer tokens and cookie authentication together

Would this be the right way to implement my security infrastructure?

Thanks!

like image 544
Pepito Fernandez Avatar asked Feb 09 '15 16:02

Pepito Fernandez


People also ask

Are tokens and cookies the same?

Cookies and tokens are two common ways of setting up authentication. Cookies are chunks of data created by the server and sent to the client for communication purposes. Tokens, usually referring to JSON Web Tokens (JWTs), are signed credentials encoded into a long string of characters created by the server.

Is it OK to store an access token in a cookie?

Cookies pros and cons But because cookies have a limited storage capacity of 4KB, you might not be able to store some tokens that way. You may also need to put an access token in the HTTP Authorization request header with some APIs, which means cookies won't work to store the tokens in all cases.

Where should bearer tokens be stored?

Should you keep tokens in cookies or in local storage? There are two patterns for client-side storage of bearer tokens: cookies and using HTML5 local storage. If cookies are being used to transmit the bearer token from client to server, then cookies would also be used to store the bearer token on the client side.


1 Answers

When you use OpenID-connect, you authenticate as a user and you get your tokens back. In ASP.NET, the recieved ID-token is used to create the local session cookie. you can also store the received tokens inside the cookie as well.

Then when you later want to access API's, you get the tokens from the users session and call the API using the access token.

So, yes, you typically always create a cookie based session as a result of the OIDC login.

like image 169
Tore Nestenius Avatar answered Oct 03 '22 20:10

Tore Nestenius