Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to send token as part of URL #546

Closed
ekryski opened this Issue Jul 25, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@ekryski
Copy link
Member

ekryski commented Jul 25, 2017

Currently in order to support server side rendering and redirects during the authentication flow (ie. OAuth, redirecting to another app, Single Sign On, etc.) we need to use cookies.

History & Security

The original reason for using the cookie over putting the token in the query string was that we thought the latter was insecure. After much discussion and research we concluded that if you're using HTTPS this is just as secure as cookies because with HTTPS the url and its params are also encrypted. This is in fact how Auth0 does their OAuth authentication.

The biggest risk is a malicious proxy (ie. man in the middle attack). If you're not using HTTPS a malicious proxy could cache these tokens and use them on behalf of a user. So you must use HTTPS. If you are, the only way that a malicious proxy can get your token is if they had your private SSL keys. If that happens, you have bigger problems!

However even with that, they cannot issue new tokens or tamper with the tokens without your secret used to sign the JWTs. So overall we feel this is a much safer and also less error prone method than using cookies for passing JWTs around during redirects and server side rendering.

Proposal

Allow users to register a custom formatter to append the access token to the URL as part of the query string when doing a redirect. Similar to feathersjs/authentication-oauth2#8.

Tasks

  • Create custom formatter
  • Ensure this formatter throws an error if not using HTTPS or explicitly told that it is behind a proxy that is terminating SSL.
  • Update generator to add custom formatter if OAuth authentication is chosen.
@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jul 25, 2017

One question I had about this is, if we redirect back to a client application page, will it include the full URL (and therefore the token) as the referrer in the HTTP request to other (possibly external) resources?

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Jul 25, 2017

I think the only protection we have against this is to redirect the users to a blank html page as I've done in this example: https://gist.github.com/marshallswain/3c9e5b3b177b977468b5b711b6254f67

They'll have to manually create it.

@ekryski

This comment has been minimized.

Copy link
Member Author

ekryski commented Jul 25, 2017

After @daffl @marshallswain and I discussed things we don't like the idea of moving the token to the query string. There are a couple problems with it still:

  1. It has potential to be caught up in referrer
  2. It's easy for someone to accidentally post a URL with their access token in it
  3. We still need cookies for some of the scenarios described here.

Going to close this. We probably just need better errors, warnings and docs to help demystify and debug cookies.

@ekryski ekryski closed this Jul 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.