Pixy tokens for public clients

-

PKCE ("pixy"),an extension of Authorization Grant Type of OAuth 2.0, is now recommended for Single-Page Applications (public clients) and mobile apps where access tokens might be intercepted. 

Implicit grant type , which was typically used for these types of apps, has some security concerns.

Remember:

Client==Application

Resource Owner==User

Confidential Clients (running on server) = can securely store secrets

Public Client (running in browser/SPA/mobile apps) = cannot store secrets securely

PKCE Flow:

  1. The Proof Key for Code Exchange (PKCE) extension requires the calling application to generate a cryptographically random code verifier and a BASE64 encoded hash (SHA256) of code verifier called the code challenge on the fly before initiating the authorization flow.
  2. Application adds the code challenge to the request going to the authorization server to get the authorization code. Authorization server stores the code challenge and sends a one time us authorization code.
  3. The application then sends the authorization code received along with the original code verifier to get an id and access token. 
  4. Authorization server before issuing the tokens, validates whether the code verifier received in the request matches the code challenge sent earlier in step 2.
  5. Application requests data from API using access token.

Attackers can intercept the Authorization Code but cannot exchange it for tokens without the code verifier.

Use SDKs provided by Okta, Auth0, forgerock to implement this flow in your apps.

Comments

Post a Comment

Popular posts from this blog

Offline Apps Patterns and Tools

-
Apps capable of running offline provide a great user experience even when there's slow/unreliable or no network/internet available. They also minimize data usage and save battery power when run on mobile devices. Design Considerations: Upfront, both front and back end must be designed to work offline.  Think about features that cannot work in offline mode. Single users using the app on multiple devices. Automatically sync data (uni/bi-directional) stored locally on the device with the central database once the app is able to connect to the internet.  If the app is allowed to be used from multiple devices, conflicting data changes made by users and any data sync conflicts need to be handled. To make UI work offline, in the case of Mobile applications, there's nothing to do, but web applications will have to use something called service workers. By implementing a service worker, you can turn a regular web application into a Progressive Web App, making it downloadable and install...
Read more

Private Cloud Platforms

-
The below services let you   take public cloud infrastructure, private data centers or mix both to build a private cloud on-prem. AWS Outposts and Azure Stack are quite similar in that they essentially take public cloud computing services and extend them into on-premises data centers.  Using these frameworks, services available in public clouds like AWS EC2 , or Azure Virtual Machines can be run on on-premises data centers. You can also use the same monitoring and management tools that you would in the public cloud. Azure Stack Hub Azure Stack Hub brings core cloud services to customers' data centers, like virtual machines, storage, networking, VPN gateway and load balancing, as well as services like functions, containers and database. Certified hardware can be purchased from  a variety of partner vendors, such as HPE, Dell EMC, Cisco, Huawei and Lenovo.   Users need to manage their infrastructure, but professional support from Microsoft is available as part of the p...
Read more

Application Delivery in the cloud

-
Traditional load balancers have lately evolved to become intelligent application delivery controllers (ADC) which implement various techniques to improve performance along with balancing load across a group of backend servers. Some of the techniques include caching content, compression of assets (js files, images etc.), taking over SSL related process from web servers, providing security from DDoS, SQL injection, XSS etc.. ADCs are like one-stop-shop for providing performance and security.  Load balancers for non-HTTP(s) workloads: Azure Traffic Manager: Is a global non-HTTP(s)/DNS load balancer. DNS load balancers provide IP address of an healthy endpoint based on the configured rules. The endpoint can be an application gateway or a load balancer depending on whether SSL offloading or application layer processing is required or not. Azure Load Balancer: is a non-HTTP(s) global (cross-region)  load balancer (aka network load balancer) operates at layer 4 (transport laye...
Read more