-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication cookie set up mechanism #10349
Comments
Can you elaborate why auth sidecar can't verify everything needed using auth API instead of redirecting to the master? |
It can verify token but it can't set it for you. The goal of this process is to set up a cookie with a token that can be verified with auth sidecar. |
I see, thank you for the clarification. |
I investigated if this approach has common secure issues, so CSRFThere are three possible ways to authenticate requests:
For 1st and 2nd options, CSRF is not actual since client should provide a token explicitly (form won't be submitted with token automatically by browser because there is no the corresponding cookie). 3rd option should be used carefully. XSSWe can not garuantee that servers are protected from XSS attacks because it really depends on server implementation. The only thing that can be improved in current proposed implementation - is set HttOnly token cookie on server side to avoid possibility to stole token by injection scripts into pages. |
It makes sense to allows cookie authorization for all servers for time being and implement such restriction in a separate issue since JWTProxy is disabled in master branch. |
Update:
|
Description
We would like to set up a generic way for services that are required authentication to get a token and setup it as a cookie. Some services like Thiea are not designed in a way where authentication token can be easily added as header or query parameter. So making some generic approach to get this token can be a good idea.
Proposed flow.
GET
http://some-ide-service:8533/api/
wsmaster/loader.html?workspaceId=werjo292390923&redirectUrl=http%3A%2F%2Fsome-ide-service%3A8533%2Fapi%2F
. Go to next step;GET
wsmaster/loader.html?workspaceId=werjo292390923&redirectUrl=http%3A%2F%2Fsome-ide-service%3A8533%2Fapi%2F
keycloak.js
;werjo292390923
and check that it has a server with host specified in redirect url query parametersome-ide-service:8533
;http://some-ide-service:8533/authenticate
where token will be set asAuthorization
header;redirectUrl
query parameter;The text was updated successfully, but these errors were encountered: