The Return of the Authentication Cookie - Anders Abel - NDC Copenhagen 2022
Вставка
- Опубліковано 15 вер 2022
- For years we talked about the dangers of using cookies for authentication of API calls for frontend applications. Access token were the future. Except that they turned out to not be. With modern browsers being more strict with cookies and the challenge of keeping a browser environment secure it turns out that cookies actually is the future after all.
In this session we explore current best practices for authentication in a modern environment using BFF (Backend For Frontend) with frontend applications, APIs and micro services.
Check out more of our featured speakers and talks at
www.ndcconferences.com
ndccopenhagen.com/ - Наука та технологія
It's great that this can cut down on boilerplate, but the code gets a _lot_ simpler again when using URLs as capabilities, and you gain an elegant and expressive formal model in the process. It is a shame that browser manufacturers are so hostile to better capability support, but even with what we can do today it's worth it for the user experience benefits.
how does it work with microservices? where is the documentation? github?
I would love to see a demonstration with this using YARP 1.1, NET 6 and include "signout" support with Websockets on the back-end.
So… long story short, we stand up a man-in-the-middle proxy svc on our same domain, delegate secret management to it, and use 1990s session cookie to auth to it?
Yes. This allows you to use the most secure settings on the cookie and add an encrypted payload to your cookie. Thus we are able to secure JavaScript based front ends better than ever before and also use token based auth with our microservices to maintain compatibility with OAuth. That way we can allow things like mobile apps and 3rd party integrations to access our services uniformly.
I can't shake the feeling that now we have the worst of both worlds: we are using OAuth2 but still need session management in the backend. If we use stateful BFF we even need a database roundtrip on every request despite using JWTs. And all this with a lot of added complexity above the already complex OAuth2 - which of course makes the whole thing very enterprise-y and thus sellable; but is it really good? Wouldn't we be better of returning to php and session cookies like it's 1995, just with better libraries?
You can store the tokens in the cookie if you so desire to avoid the network round trip. HttpOnly, Secure, SameSite = Strict cookies with an encrypted payload are very secure. In that case the BFF basically just converts your cookie payload to a token header and passes on your request. Just have to keep your tokens small if possible.
Thanks! Great presentation, but the manner of presentation was a bit annoying -- author too often switches to examples, or cookie sharing which kind of distracts from the actual thing.
I could tolerate the sharing of the cookies a bit more if he didn't throw them like a girl.