Token Handler Pattern

•

0 j'aime•95 vues

Gary Archer's presentation at API Days London 2023 Learn more: https://curity.io/resources/learn/token-handler-overview/

Technologie

Token Handler Pattern
API Driven OpenID Connect for Single Page Apps

Agenda
• Secured SPAs that call OAuth 2.0 Secured APIs
• Browser Security Threats, Concerns and Best Practices
• Using API-Driven SPA Security
• End-to-End Demo and Questions

Benefits
• Productive development, with a focus on the frontend
• Separation of concerns makes each part simple
• Deploy anywhere, such as to a content delivery network

Browser Cookie Changes
Same Site Cookies (updates to RFC6265):
• Considered to have stronger browser protection than tokens
• Tokens in the browser have more XSS threats and people concerns
Problems with the original SPA Flow:
• Third party SSO cookies used for token refresh are dropped
• JavaScript-only option requires a refresh token in local storage

Backend for Frontend (BFF)
• A backend component that issues cookies on behalf of the SPA
• Described in OAuth 2.0 for Browser Based Apps
• How to integrate one while retaining SPA benefits?

Differences to Alternative Solutions
• Separation of Web Host from Cookie Issuing
• API driven cookies best support micro-UI architectures
• SPA calls APIs via a high-performance API gateway
• SPA remains in control, for best usability

OAuth Agent: API Driven OpenID Connect
• POST /login/start
• POST /login/end
• POST /refresh
• GET /userinfo
• GET /claims
• POST /logout

SPA Cookie Properties
• HTTP-only
• SameSite=strict
• Secure
• Domain=api.product.com
• Path =/
• Encrypted

Example Cookie Sent to APIs
• cookie:at=AVyV7pq8ctwBYYcOqgSsrIHJJJEVTMLsobjATMYMBu70tWYKI
x1nQJTNanDXGexpX0Jx80SspeXIUi0e4htdroZkgj1cFL0WCyU
• Cookies are small when opaque access tokens are used
• Small API message credential, like a web session cookie
• Backend is stateless and easy to manage

OAuth Proxy: Web Security in the Gateway

Security Results
• Website Level Security
• Can use any Financial Grade Website options
• Does not solve Cross Site Scripting

Scalability and Micro UIs
• Large SPAs can be split without double logins or cookie conflicts

Further Information
- https://curity.io/resources
- Token Handler Overview
- SPA Security Whitepaper
- https://github.com/curityio/spa-using-token-handler

Contenu connexe

Similaire à Token Handler Pattern

Javascript is quickly taking over the world. The line between client and server is becoming increasingly blurred and Microsoft is aboard the bandwagon. ASP.NET Web API gives us the ability to remove some of our service layer from the black box and begin interacting directly with the browser. Using Web API and AJAX, we can perform data operations asynchronously, improving our perceived page performance and providing a more seamless end-to-end user experience. In this session, we will walk through creating a Web Api controller, improve our confidence in working with Javascript and connect the dots between client and server.

Improving Perceived Page Performance with ASP.NET Web API and AJAX

Chris Bohatka

How to Build, Manage, and Promote APIs

WSO2

APEX & Cookie Monster

Christian Rokitta

Создание API, которое полюбят разработчики. Глубокое погружение

SQALab

Developer’s Independence Day:Introducing the SharePoint App Model

bgerman

De la bonne utilisation de OAuth2

Leonard Moustacchis

APIConnect Security Best Practice

Shiu-Fun Poon

Application Security in ASP.NET Core

NETUserGroupBern

Securing .NET Core, ASP.NET Core applications

NETUserGroupBern

We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps. This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization. This presentation was first given in the London Mobile Security Meetup https://www.meetup.com/London-Mobile-Developer-Security/

Mobile Authentication - Onboarding, best practices & anti-patterns

Pieter Ennes

DDD Melbourne 2014 security in ASP.Net Web API 2

Pratik Khasnabis

API Economy, Realizing the Business Value of APIs

ColdFusionConference

Introducing WSO2 API Manager for Mobile Applications and Rapid Integration

WSO2

ConFoo 2015 - Securing RESTful resources with OAuth2

Rodrigo Cândido da Silva

2015 5-7-slide

Syuhei Hiya

CIS14: PingAccess 101

CloudIDSummit

HTTP Services & REST API Security

Taiseer Joudeh

[Workshop] API-driven Integration

WSO2

Sahi

Sohail Ahmed

How will SharePoint 2013 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn about the Product Catalog site template and how you can to use it. Learn about the new improvements in SharePoint 2013 regarding extranets. Learn how SharePoint 2013 can help your organization open its doors to its clients and partners securely.

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...

Brian Culver

Similaire à Token Handler Pattern (20)

Improving Perceived Page Performance with ASP.NET Web API and AJAX

How to Build, Manage, and Promote APIs

APEX & Cookie Monster

Создание API, которое полюбят разработчики. Глубокое погружение

Developer’s Independence Day:Introducing the SharePoint App Model

De la bonne utilisation de OAuth2

APIConnect Security Best Practice

Application Security in ASP.NET Core

Securing .NET Core, ASP.NET Core applications

Mobile Authentication - Onboarding, best practices & anti-patterns

DDD Melbourne 2014 security in ASP.Net Web API 2

API Economy, Realizing the Business Value of APIs

Introducing WSO2 API Manager for Mobile Applications and Rapid Integration

ConFoo 2015 - Securing RESTful resources with OAuth2

2015 5-7-slide

CIS14: PingAccess 101

HTTP Services & REST API Security

[Workshop] API-driven Integration

Sahi

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...

Dernier

WebAssembly is Key to Better LLM Performance

Samy Fodil

IoT Analytics Company Presentation May 2024

IoTAnalytics

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

FIDO Alliance

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

FIDO Alliance

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

The Metaverse: Are We There Yet?

Mark Billinghurst

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

FIDO Alliance

Extensible Python: Robustness through Addition - PyCon 2024

Patrick Viafore

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf

FIDO Alliance

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

FIDO Alliance

This presentation focuses on the challenges and strategies of connecting problem definitions within product development. Key Points Covered: - Kayak's mission since its inception in 2004 to simplify travel by enabling easy comparisons of flights through technological solutions. - Discussion of the complexities within the travel industry, including the high expectations for personalized user experiences and the various stakeholder influences. - Emphasis on the necessity of maintaining agility and innovation within a mature company through continuous reassessment of processes. - An explanation of the importance of disciplined problem definition to prevent project failures and team inefficiencies. - Introduction of strategies for effective communication across teams to ensure alignment and comprehension at all levels of project development. - Exploration of various problem-solving methodologies, including how to handle conflicts within team settings regarding problem definitions and project directions.

Connecting the Dots in Product Design at KAYAK

UXDXConf

This talk offers actionable insights at an executive level for enhancing productivity and refining your portfolio management approach to propel your organization to greater heights. Key Points Covered: 1. Experience Transformation: - The core challenge remains consistent across organizations: converting budget into user-centric designs. - Strategies for deploying design resources effectively in both startups and large enterprises. 2. Strategic Frameworks: - Introduction to the "Ziggurat of Impact" model, detailing layers from basic system interactions to comprehensive customer experiences. - Practical insights on creating frameworks that scale with organizational complexity. 3. Organizational Impact: - Real-world examples of navigating design in large settings, focusing on the synthesis of consumer products and customer experiences. - Emphasis on the importance of designing systems that directly influence customer interactions. 4. Design Execution: - Detailed walkthrough of organizational layers affecting design execution, from touchpoints and customer activities to shared capabilities. - How to ensure design influences both the micro and macro aspects of customer interactions. 5. Measurement and Adaptation: - Techniques for measuring the impact of design decisions and adapting strategies based on data-driven insights. - The critical role of continuous improvement and feedback in refining customer experiences.

Structuring Teams and Portfolios for Success

UXDXConf

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

FIDO Alliance

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

CzechDreamin

The Epson EcoTank L3210 is a high-performance and cost-efficient printer designed to meet the printing needs of both home users and small businesses. Equipped with Epson’s revolutionary EcoTank ink tank system, the Epson eliminates the need for traditional ink cartridges, thereby significantly reducing printing costs and plastic waste. With its PrecisionCore technology, this printer delivers sharp, vibrant prints for both documents and photos. Its user-friendly design ensures easy setup and operation, while its compact form factor saves valuable desk space. Whether it’s everyday printing jobs or creative projects, the Epson EcoTank L3210 provides a reliable and eco-friendly printing solution.

Buy Epson EcoTank L3210 Colour Printer Online.pptx

EasyPrinterHelp

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

Jennifer Lim

Syngulon’s technology expands the capacity for selection of microorganisms. The ability to select individual microbes with a behavior of interest is essential, whether for simple cloning at the bench, or for industry-scale production. Synthetic biology uses the concept of “bioengineering” to improve or modify existing genetic systems to create microbes with desired behaviors, and Syngulon uses this approach to develop its selection technologies. This selection technology is based on bacteriocins, ribosomally-produced peptides naturally made by most bacteria to kill competitive microbial species. These bacteriocins can have a limited or wide target range against other microbial species. This technology offers advantageous over antibiotic selection for several reasons: it avoids the use of antibiotics in the first place, helping to reduce the spread of antibiotic resistant microbes. The technology also increases product yield; as bacteriocins are generally smaller peptides, they do not impose a heavy metabolic burden on the producing cell. They can have a wide target specificity, helping to avoid genetic drift. Finally, our system is 100% plasmid-based (e.g. without chromosomal mutations), making it applicable for use in any E. coli strains.

Syngulon - Selection technology May 2024.pdf

Syngulon

Speed Wins: From Kafka to APIs in Minutes

confluent

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “Enterprise Knowledge Graphs: The Importance of Semantics” on May 9, 2024, at the annual Data Summit in Boston. In her presentation, Hedden describes the components of an enterprise knowledge graph and provides further insight into the semantic layer – or knowledge model – component, which includes an ontology and controlled vocabularies, such as taxonomies, for controlled metadata. While data experts tend to focus on the graph database components (RDF triple store or a label property graph), Hedden emphasizes they should not overlook the importance of the semantic layer.

Enterprise Knowledge Graphs - Data Summit 2024

Enterprise Knowledge

Dernier (20)

WebAssembly is Key to Better LLM Performance

IoT Analytics Company Presentation May 2024

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

The Metaverse: Are We There Yet?

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

Extensible Python: Robustness through Addition - PyCon 2024

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

Connecting the Dots in Product Design at KAYAK

Structuring Teams and Portfolios for Success

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

Buy Epson EcoTank L3210 Colour Printer Online.pptx

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

Syngulon - Selection technology May 2024.pdf

Speed Wins: From Kafka to APIs in Minutes

Enterprise Knowledge Graphs - Data Summit 2024

Token Handler Pattern

1. Token Handler Pattern API Driven OpenID Connect for Single Page Apps

2. Agenda • Secured SPAs that call OAuth 2.0 Secured APIs • Browser Security Threats, Concerns and Best Practices • Using API-Driven SPA Security • End-to-End Demo and Questions

3. Original SPA OpenID Connect Flow

4. Benefits • Productive development, with a focus on the frontend • Separation of concerns makes each part simple • Deploy anywhere, such as to a content delivery network

5. Browser Cookie Changes Same Site Cookies (updates to RFC6265): • Considered to have stronger browser protection than tokens • Tokens in the browser have more XSS threats and people concerns Problems with the original SPA Flow: • Third party SSO cookies used for token refresh are dropped • JavaScript-only option requires a refresh token in local storage

6. Backend for Frontend (BFF) • A backend component that issues cookies on behalf of the SPA • Described in OAuth 2.0 for Browser Based Apps • How to integrate one while retaining SPA benefits?

7. Token Handler Pattern

8. Differences to Alternative Solutions • Separation of Web Host from Cookie Issuing • API driven cookies best support micro-UI architectures • SPA calls APIs via a high-performance API gateway • SPA remains in control, for best usability

9. OAuth Agent: API Driven OpenID Connect • POST /login/start • POST /login/end • POST /refresh • GET /userinfo • GET /claims • POST /logout

10. OAuth Agent: Login Flow

11. SPA Cookie Properties • HTTP-only • SameSite=strict • Secure • Domain=api.product.com • Path =/ • Encrypted

12. Example Cookie Sent to APIs • cookie:at=AVyV7pq8ctwBYYcOqgSsrIHJJJEVTMLsobjATMYMBu70tWYKI x1nQJTNanDXGexpX0Jx80SspeXIUi0e4htdroZkgj1cFL0WCyU • Cookies are small when opaque access tokens are used • Small API message credential, like a web session cookie • Backend is stateless and easy to manage

13. OAuth Proxy: Web Security in the Gateway

14. Security Results • Website Level Security • Can use any Financial Grade Website options • Does not solve Cross Site Scripting

15. Questions?

16. Deployment Example 1

17. Deployment Example 2

18. Pure SPA Development Setups

19. Scalability and Micro UIs • Large SPAs can be split without double logins or cookie conflicts

20. End-to-End Demo

21. Questions?

22. Further Information - https://curity.io/resources - Token Handler Overview - SPA Security Whitepaper - https://github.com/curityio/spa-using-token-handler

Token Handler Pattern

Recommandé

Recommandé

Contenu connexe

Similaire à Token Handler Pattern

Similaire à Token Handler Pattern (20)

Dernier

Dernier (20)

Token Handler Pattern