Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help wanted for SPA + Code Flow #160

Closed
fl0wx opened this issue Feb 24, 2022 · 6 comments
Closed

Help wanted for SPA + Code Flow #160

fl0wx opened this issue Feb 24, 2022 · 6 comments

Comments

@fl0wx
Copy link

fl0wx commented Feb 24, 2022

How do i implement the REST Server Part of the Code Flow Authentication in combination with a SPA ?
Like statet here: https://security.stackexchange.com/questions/129928/oidc-flow-for-spa-and-restful-api

**Authorization Code Flow**

1. User navigates to SPA, which redirects user to IdP to sign in.
2. User signs in (and authorizes the application, if needed).
3. IdP returns user to SPA with Authorization Code.
4. JavaScript code in SPA sends the Authorization Code to a login endpoint on the REST API Server.
5. The REST API Server sends a request to the IdP Server containing the Authorization Code (and usually also a Client ID and Client Secret which identify the REST API Server to the IdP server).
6. The IdP validates the Authorization Code and sends the Access Token and ID Token to the REST API Server.
7. The REST API Server stores the Access Token and ID Token in its memory, and sends its own Session Token back to the SPA.
8. For every request the SPA makes to the REST API Server, it includes the Session Token which the REST API Server gave it. If the REST API Server needs to request resources from another server, it uses the stored Access Token to make that request.

Any help with that? Or hints what to do?

Thansk and regards, fl0w
@livio-a
Copy link
Member

livio-a commented Feb 25, 2022

Hey @fl0wx

I'm unsure if I understand the question correctly. Do you want to create a REST API in Go and us it with a SPA?
If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

@fl0wx
Copy link
Author

fl0wx commented Feb 25, 2022
edited
Loading

@livio-a:

I'm unsure if I understand the question correctly. Do you want to create a REST API in Go and us it with a SPA?

yes, but authorization will be done separate (ldap groups).

If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

i read many times that this approach is not recommended because of security concerns. In that case i need to store the access token in the browser, right?

and even if i fetch the access token directly in my spa, i have the issue where to save / transmit the secret key?

@livio-a
Copy link
Member

livio-a commented Feb 28, 2022

@fl0wx :

If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

i read many times that this approach is not recommended because of security concerns. In that case i need to store the access token in the browser, right?

and even if i fetch the access token directly in my spa, i have the issue where to save / transmit the secret key?

If you use PKCE (Proof Key for Code Exchange: RFC 7636) correctly then there's not much of a concern. You will have a randomly generated validation token instead of client_secret and store the access_token in the session storage of the browser.
There are a lot of certified OIDC libraries for all common SPA languages / frameworks which will do exactly this.

For more info, please checkout the docs of our IAM as well on how to login a user into a (SPA) app:
https://docs.zitadel.ch/docs/guides/authentication/login-users

And we also have some quickstarts for some SPA frameworks (incl. Angular and React): https://docs.zitadel.ch/docs/quickstarts/introduction

On the API side, you can then use the introspection endpoint to validate if the token is (still) valid. A boolean active will be returned and depending on the implementation of your Auth Server it might return more information (username, ...)
This library will help you with that call. Check out the api example (/example/client/api) and the resource server package (/pkg/client/rs)
You could of course cache the introspection response of a token for some time (e.g. 5min) and not always introspect it on every request.

@fl0wx
Copy link
Author

fl0wx commented Feb 28, 2022

ok thanks, i´ll try that.

Any recommendations regarding my authorization requirements? I cannot do authorization with oidc currently and have to query a separate backend (ldap). Whats the best way to pair that with oidc? check roles on every request (+cache)? Using a session ? or any other idea?

@fforootd
Copy link
Member

fforootd commented Mar 28, 2022
edited
Loading

Any recommendations regarding my authorization requirements? I cannot do authorization with oidc currently and have to query a separate backend (ldap). Whats the best way to pair that with oidc? check roles on every request (+cache)? Using a session ? or any other idea?

Your IdP could query the LDAP and append the groups as claim to the userinfo/introspect endpoint or the tokens. The decision to cache or refresh depends on how much risk your service can take. Or in other words, if you need a high level of guarantees don't cache.

@fl0wx
Copy link
Author

fl0wx commented Mar 28, 2022

Thanks i consider that. Everything is clear now, so ill close.

@fl0wx fl0wx closed this as completed Mar 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fl0wx @livio-a @fforootd