Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenID Connect with stateless JWT Tokens

Tags:

security

authentication

openid-connect

jwt

single-sign-on

I would like to use a self-hosted OpenID Connect (OIDC) server in a combination with JWT as an authorization token (access token in OIDC terms). JWT would be used to protect REST services while the UI are a mix of classical and single-page applications (Angular). This way, the REST layer would be able to do the authorization based on a stateless JWT token so no extra DB connections are necessary, as described here:

https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

For a single page app, OIDC Implicit Flow is appropriate. However, I see a security problem when Implicit Flow is used in combination with stateless JWT tokens: Tokens are delivered as a fragment part in the URL which means there is no way to remove them (they are easily available in the browser history) nor invalidate them (they are stateless) -> no logout possible.

I see 2 options to mitigate this:

  1. Use a very short-lived tokens (max up to several minutes). This may dramatically hinder usability.
  2. Use an authorization code flow by the means of AJAX. This is not OIDC-compliant but would make a logout possible as tokens would not be exposed in the URL.

The third option would be to give up stateless JWT tokens and use simple bearer tokens with DB checks.

Do I miss something? What would you choose?

like image 678
Vilmantas Baranauskas Avatar asked Dec 08 '14 10:12

Vilmantas Baranauskas

People also ask

Are JWT tokens stateless?

Stateless authentication uses tokens, most often a JSON Web Token (JWT), that contain the user and client information. The server only has to match the token key and cryptographic signature with the information on file, meaning it can do far less work in looking up identity provider (IdP) information.

Does Open ID use JWT?

OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery.

What are stateless tokens?

Token-based authentication enables users to obtain a token that allows them to access a service and/or fetch a specific resource without using their username and password to authenticate every request.

Is OAuth stateless or stateful?

AM OAuth 2.0-related services are stateless unless otherwise indicated; they do not hold any token information local to the AM instances. Instead, they either store the OAuth 2.0/OpenID Connect tokens in the CTS token store, or present them to the client.

1 Answers

one may argue about the risk of fragments ending up in browser history, but "simple" opaque bearer tokens would be subject to the same limitations that you describe for JWT tokens

using a code flow with AJAX is certainly not prevented by the OpenID Connect specification so you could use just that; the implicit flow is only a recommendation for in-browser clients as it optimizes the number of round-trips to get a token to the user agent

like image 124
Hans Z. Avatar answered Oct 10 '22 17:10

Hans Z.
Sign in to Comment

Related questions

How to validate domain credentials (from native code)?
Secure Java from reverse-engineering using industry grade encryption
Cannot implement password filter
.net 4 partial trust an assembly from GAC
How can I improve this NONCE library for PHP?
How can I generate a "private URL" with state of the art balance between security and convenience?
Can an Outlook addin write to the system event log?
Symfony2 login event listener and security.interactive_login event never triggered using FOSUser
Can you have both client certificate security and service identity authentication in azure acs
Creation of XSS vulnerable web page
How can I protect data using iOS on-disk encryption when the user passcode lock has not been enabled?
My applications need to send emails, where and how should I store the SMTP password?
What replaces Java's sun.security packages?
Issues in Launching the signed applet with java 7u45
Fool a PHP file to thinking it is alone in it directory
Creating a Key Pair Certificate and Signing It with External CA using BouncyCastle
How to set up a secure password-protected connection between R and a server
Heartbeat extension: does it make sense to allow for arbitrary payload?
How do I securely handle and zero key material buffers on the JVM?
TLS handshake fails between a Java 1.8 client and a Java 1.7 TLS 1.1 server running in FIPS mode, even after disabling TLS 1.2 in the client side

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!