You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have several auth mechanisms that can coexist and fall into two categories:
Basic Auth (non-interactive: header-based, on all endpoints)
JWT Auth (non-interactive: header or cookie based, on all endpoints)
OIDC Web (interactive: cookie-based, handles redirects)
WebAuthn (interactive: cookie-based, handles redirects, special action on some endpoints)
Form Auth (interactive: cookie-based, handles redirects, special action on some endpoints)
Basic and JWT fall into the same category IMO, because they both look at headers and if not present return a 401. This is meant for non-interactive REST APIs where you're authenticated or you're not.
OIDC, WebAuthn and Form fall into a second category, because they are meant for interactive web sites where attempting to access a protected resource without credentials should redirect you to a login page, and after the login is done, they store the user identity in a cookie so that login doesn't need to be redone on subsequente requests.
It's often the case that web applications will want more than one mechanism in place for logins, and so Basic is already special-cased so that it doesn't issue a 401 challenge if Form is enabled, because Form will trigger a wanted redirect.
In my application I have OIDC, WebAuthn and JWT coexisting: I decided to store both OIDC and WebAuthn logins into a JWT cookie, but the JWT challenge prevents me from getting a 302 redirect because it is evaluated before the WebAuthn authentication mechanism challenge. So I get a 401 which is not what I want.
At the moment, OIDC and Form both store the original uri to redirect to after login is done inside their own separate cookie. WebAuthn lacks that, but it should support it.
Form and WebAuthn both support a login redirect but they're configured separately. They also store the logged-in identity in separate cookies.
IMO all this should be harmonised:
JWT auth should not trigger a 401 if another auth mechanism is interactive (like Basic+Form)
Form and WebAuthn should store the original uri to redirect to after login inside the same cookie, to be configured by a shared config key
Form, WebAuthn and JWT should perhaps store the logged in user in the same cookie, perhaps with a discriminant as to which auth mechanism stored it there?
Implementation ideas
No response
The text was updated successfully, but these errors were encountered:
Description
We have several auth mechanisms that can coexist and fall into two categories:
Basic and JWT fall into the same category IMO, because they both look at headers and if not present return a 401. This is meant for non-interactive REST APIs where you're authenticated or you're not.
OIDC, WebAuthn and Form fall into a second category, because they are meant for interactive web sites where attempting to access a protected resource without credentials should redirect you to a login page, and after the login is done, they store the user identity in a cookie so that login doesn't need to be redone on subsequente requests.
It's often the case that web applications will want more than one mechanism in place for logins, and so Basic is already special-cased so that it doesn't issue a 401 challenge if Form is enabled, because Form will trigger a wanted redirect.
In my application I have OIDC, WebAuthn and JWT coexisting: I decided to store both OIDC and WebAuthn logins into a JWT cookie, but the JWT challenge prevents me from getting a 302 redirect because it is evaluated before the WebAuthn authentication mechanism challenge. So I get a 401 which is not what I want.
At the moment, OIDC and Form both store the original uri to redirect to after login is done inside their own separate cookie. WebAuthn lacks that, but it should support it.
Form and WebAuthn both support a login redirect but they're configured separately. They also store the logged-in identity in separate cookies.
IMO all this should be harmonised:
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: