Clever Geek Handbook

OAuth 2 authentication for both iframe and api

I am integrating several websites / services into my application. I am using iframes (or webview for Vue Electron) to integrate the UI and also I am using the API to implement cross-communication between these services.

At the moment I have to authenticate OAuth 2 twice for each service: once as part of the natural authentication in the iframe and another when I ask the user to grant me access to that service (for api reasons).

Is there a way to simplify this process?

+3


source to share


2 answers


The modern answer would be to completely change your application.

  • You must have 1 SPA app, not an iframe
  • This app will authenticate to get the OAuth2 token
  • This application will then call the backend (access to multiple backends or access to the api control layer that calls the backend).

Thing is, with this you can have 2 strategies:

  • grant all permissions (scopes) on first authentication
  • allows small scale on first authentication and then "re-authenticate" (actually check the new realm) if necessary to get a new access token

When an API wants to call another API, you also have 3 strategies:



  • you just use the same client token that the API receives into the service of your API call (no human interaction)
  • your API generates a token from the service account (using ROPC authentication scheme) (no human interaction required). (The API will be the client of the second API).
  • your identity provider has an endpoint for converting an access token: your API can provide a client access token, and the authorization server converts it using your API's client_id. You are sending this token to the 2ndAPI (the token will reflect your UI theme, but the client id will be the first APIId client) (no human interaction required)

Now, if you are using an IFrame with multiple sub-applications in the same domain (the domain must be exactly the same!), You can use the same access token, for example, via local storage. (not the highest security) You will probably need authentication with a large list of realms, but this is your only option. You will be simulating a single page application, but the problem is that you will potentially have a different client application, depending on the first application you authenticate.

Edit: multiple authorization servers

From your comment, you have multiple authorization servers. One strategy might be to ask the user to authenticate, then your application can get access_token and refresh_token. Depending on your authorization server, refresh_token can be used a lot / for a long period of time, so if you store it somewhere, the next time the user visits the application, your application can get access_token from this refresh token without any problems. Then your application will have access to remove the api without new interaction with your user. Of course, this means that you must store this token in the most secure way possible.

+3


source


Using OpenID Connect, you can combine authentication and authorization in one step and get both id_token

user login to your application and access_token

API access in a single authentication response.



+3


source






More articles:


All Articles