okta-oidc-js | contains Okta 's OpenID Connect JavaScript resources | Authentication library
kandi X-RAY | okta-oidc-js Summary
kandi X-RAY | okta-oidc-js Summary
This is a monorepo that contains Okta's OpenID Connect JavaScript resources.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of okta-oidc-js
okta-oidc-js Key Features
okta-oidc-js Examples and Code Snippets
Community Discussions
Trending Discussions on okta-oidc-js
QUESTION
Since PKCE is now the recommended method of authorisation over the implicit flow, i'm looking for best practice on handling code verifier and recommendations on how this might be done. On high level PKCE Authorisation flow consist of:
- Generate
code_verifieron client side - Generate
code_challengefrom (1) - hit
/authorisewithcode_challengewhich redirect to select idp and in callback there's acode - use
codefrom (3) along withcode_verifierto exchange for access token
Question is, in step 3, before the application redirect to authorisation server and then the idp, one has to store the code_verifier somewhere. Where is that somewhere?
Seems like libraries like okta-oidc-js store the code_verifier in sessionStorage. Doesn't that expose you to XSS attack? i.e. if i was store the code_verifier in sessionStorage before the application goes into the Authorisation flow and redirects, on the callback, what stops some rouge extension from reading the code from the url and code_verifier from sessionStorage? Combination of which can be used to exchange for a access token.
ANSWER
Answered 2021-May-13 at 21:03What you describe is the standard SPA way of doing things - it could potentially be abused by malicious code, but there is some protection in the fact that an authorization code can only be used once and that the verifier is not stored for long.
A related XSS attack is to run a complete OAuth authorization redirect + code exchange on a hidden iframe - there is no protection against that, regardless of whether a back end or client secret is involved.
If you want to be strict about security, the emerging trend is more of a back end for front end approach, where the back end is a 'Proxy API' running at https://api.mywebdomain.com
The result of OAuth authorization is a same site cookie issued by the API, to prevent the above iframe attack
The SPA can then either use the auth cookie to get an access token or double hop API requests via the proxy API.
There is a good recent video on SPA security here that discusses these threats in further depth. The browser is a difficult place to implement security and redirects come with risks.
It is still recommended to separate Web and API concerns however - eg the above proxy API should not get in the way of a company wanting to deploy their SPA via a content delivery network.
LOGIN DANCE
In my opinion the preferred approach is summarized below, for full control and no issues with recent browser changes:
SPA calls a URL such as https://api.mywebdomain.com/login/start, which writes an HTTP only encrypted cookie for .mywebdomain.com containing the state and code_verifier, and also returns the authorization request URL
SPA then does the redirect itself, and saves page location / state to session storage beforehand if needed
SPA then receives the response URL with code and state, then POSTs them to a URL such as https://api.mywebdomain.com/login/end. Afterwards the SPA can restore its page location and state, so that usability is good.
API completes the login by verifying the state against that in the state cookie, then using the code_verifier from the state cookie. The result of all of this is to write an auth cookie (containing a refresh token) that could not be abused on an iframe.
QUESTION
Hi I am now using Angular + Spring Boot to build a website, in my website, I am using Okta Single-Page App to do authentication. For the frontend, I am using okta-angular, and follow the instructions here: https://github.com/okta/okta-oidc-js/tree/master/packages/okta-angular. I am using implicit flow. In order to keep simple, I used okta hosted sign-in widget.
My frontend code like this:
app.module.ts
...ANSWER
Answered 2020-Jun-17 at 17:00You're in luck! I just published a blog post today that shows how to take an Angular + Spring Boot app that runs separately (with Okta's SDKs) and package them in a single JAR. You can still develop each app independently using ng serve and ./gradlew bootRun, but you can also run them in a single instance using ./gradlew bootRun -Pprod. The disadvantage to running in prod mode is you won't get hot-reload in Angular. Here are the steps I used in the aforementioned tutorial.
Create a new AuthService service that will communicate with your Spring Boot API for authentication logic.
QUESTION
I'm using the Okta react library - https://github.com/okta/okta-oidc-js/tree/master/packages/okta-react however it doesn't come with type definitions.
I've created a .d.ts defintion file that has declare module "@okta/okta-react" however this library has a higher order component used like: import { withAuth } from '@okta/okta-react'; (https://github.com/okta/okta-oidc-js/tree/master/packages/okta-react#withauth)
How do I write this in my definitions file?
Is this valid?
...ANSWER
Answered 2020-Feb-13 at 12:21You need to make withAuth a generic function that takes a component type and returns that component type but with the props modified to remove auth:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install okta-oidc-js
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
