In this diagram I recap pros and cons of different request authorisation methods
 |
| Diagram 1 |
Request authentication methods
COOKIE
- Requires CSRF for POSTs (hidden field or cookie)
OAuth Token - cons
- Redirects are not supported as
- Token is held in memory
- Problem with previous auth session in hydra. Logging out requires IDToken
- Problem with having a planned session expiry, say it, expire within 1h of inactivity, we dont control OAuth token expiration
- Security policy enforcement is hard to impl.
- IP-address tracking based
- Logout some / all sessions
JWT
- Any desired custom attribute can be added to token
- We can control expiration as needed
- We can "remember" previous sessions and let user to choose
- User can selectively log out any session / on any device
Remarks
- Login form needs to be protected by CSRF in any way
- For REST apps CSRF can be generated once -- on logging in
Комментариев нет:
Отправить комментарий