Three revisions later, we’re at OAuth 2.0 (there was 1.0 and 1.0a before it) and all’s right with the world. The world needed an authorization framework that would allow you to grant access to specific information without you sharing your password. And, worse, Yelp had to store your password in a way that it could use it in plaintext and there was no standard way to revoke your consent to Yelp to access your Google account. You gave Yelp your permission, so this was all good, Yes? No! With your username and password, Yelp could access your email, your docs - everything you had in Google - not just your contacts. So, Yelp naturally collected your Google username and password so that it could access your contacts. Sites like Yelp started wanting access to the contact information you had in your Google Contacts. In the beginning, there were siloed web sites that didn’t talk to each other, and it was sad. Vue.js that starts with the older (now deprecated) Implicit flow and then shows the more secure Authorization Code with PKCE flow. You’ll be guided through a simple SPA example written in In this post, you’ll learn some foundational concepts of OIDC and OAuth2. OIDC is a thin identity layer for authentication and Single Sign-On that rides on top of OAuth 2.0, an authorization framework. Today, Proof Key for Code Exchange (PKCE) provides a modern solution for protecting SPAs. This flow has always had problems inherent to it and these problems are exacerbated by the advanced capabilities focused on user experience in browsers. So, how do you protect your SPA in such a hostile environment? When SPAs were new and browsers as well as providers were more limited in their capabilities, OAuth 2.0 and its sister standard, OpenID Connect (OIDC) offered an approach called the Implicit flow. If you are building an app that will have 1,000,000 users, it’s likely - almost guaranteed - that some percentage of those users will have compromised machines to malware or viruses. NET or Spring Boot) app and the browser is an inherently insecure environment. But securing SPAs is challenging since there may not be a backend (like a. Single Page Apps (SPAs) offer a great user experience in the browser as they enable interactivity without full page transitions. Security professionals will tell you that, at the very least, you’ve increased your surface area for attack by using browser syncing. From a security standpoint, however, I’m now counting on Firefox to handle cookies and other session information responsibly and securely. I can start a session with my bank on Firefox mobile and pick up right where I left off on Firefox desktop. Take browser history syncing for example. It’s not a perfect analogy, but most developers can attest that as user experience goes up, security goes down. One lever is User Experience and the other is Security. That is, as one goes up, the other goes down. Imagine two levers that are inversely connected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |