The latest articles on DEV Community by Andy (@tappyy). https://dev.to/tappyy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F436369%2F6f15f2de-0a9b-4ccc-a674-7623676f5326.JPG https://dev.to/tappyy en Andy Thu, 30 Jul 2020 16:18:22 +0000 https://dev.to/tappyy/reflected-xss-attack-on-localstorage-37g3 https://dev.to/tappyy/reflected-xss-attack-on-localstorage-37g3 <p>We've all seen the debates about localStorage vs. cookies when it comes to handling client-side JWTs. You may choose to store your JWTs in one or the other depending on which article you read. <strong>But what does an XSS attack actually look like?</strong></p> <h1> XSS Overview </h1> <p>The <a href="https://owasp.org/www-community/attacks/xss/" rel="noopener noreferrer">Open Web Application Security Project (OWASP)</a> defines XSS as: </p> <blockquote> <p>Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.</p> </blockquote> <p>In other words, attackers can use the features of your site to inject malicious Javascript. <strong>It's important to note that any client-side Javascript has access to</strong> <code>localStorage</code>, <code>sessionStorage</code> <strong>and</strong> <code>cookies</code> <strong>(non-HttpOnly)</strong>.</p> <h1> Example </h1> <p>I'm going to use a simple error page that users are redirected to if they encounter an general error. I've seen this used many times (hopefully a little better than what I'm about to show!)</p> <p><strong>Note:</strong> Let's assume that our site authenticates users via JWT and stores them in <code>localStorage</code>.</p> <p>Here's our beautiful error page:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fakc5heit56nnwvtmt6gq.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fakc5heit56nnwvtmt6gq.jpg" alt="Error page example"></a></p> <p>It accepts <code>code</code> and <code>message</code> parameters to display in the page like so:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> .../error.html?code=500&amp;message=Something%20went%20wrong </code></pre> </div> <p>The code that handles displaying the message looks like:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">).</span><span class="nx">searchParams</span> <span class="kd">const</span> <span class="nx">errorCode</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">))</span> <span class="kd">const</span> <span class="nx">errorMessage</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">)</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">error-code</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span><span class="dl">"</span><span class="s2">Error code: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">errorCode</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">error-message</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">errorMessage</span> </code></pre> </div> <p><em>Can you spot the mistake?</em> 😏</p> <p>We are getting the error message from the URL and placing it into our document HTML... 🤔</p> <p>What would happen if an attacker was to try to inject some Javascript instead of a message?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1x8h1rm1bes1yiknotn4.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1x8h1rm1bes1yiknotn4.jpg" alt="XSS Success"></a></p> <p><em>Uh-oh!</em> This confirms to the attacker that this page is vulnerable to an attack called <strong>Reflected XSS.</strong></p> <p>With some creativity, it's not a huge leap to get the contents of your local storage (which includes your JWT) and send it off to the attacker... <em>bye bye token!</em></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fo6fys7svkstycp6k95hx.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fo6fys7svkstycp6k95hx.jpg" alt="bye bye token"></a></p> <p>Once the attacker has your token, it's trivial to reveal all information stored in that token. <em>They are just base64 encoded objects.</em></p> <h1> Solution </h1> <p>The main issue with our code is that we are getting the message string from the URL and inserting it directly into our document HTML. Instead, we should:</p> <ol> <li>Sanitise anything that could come from the user (including URL parameters).</li> <li>Use <code>.textContent</code> instead.</li> </ol> <p>A good tip is <strong>Don't store anything in the JWT you wouldn't already consider public</strong>. This way, even if your site happens to be vulnerable to XSS, the attacker isn't gaining any private information.</p> <h1> Conclusion </h1> <p>There is nothing wrong with storing JWTs in <code>localStorage</code>. The issue is with poor coding practices that have the potential to expose your site and users to attack. </p> <p>Granted, this was a simple (and contrived) example of reflected XSS, but there are other DOM-based attacks your app may be vulnerable to. </p> <p>It's fun to break things you're working on and see if you can patch any vulnerabilities <em>before</em> they make it out!</p> <p>Here are some good places to learn more:</p> <ul> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html" rel="noopener noreferrer">DOM-based XSS Prevention Cheat Sheet</a></li> <li><a href="https://owasp.org/www-project-top-ten/" rel="noopener noreferrer">OWASP Top 10</a></li> </ul> <p>Have fun! Thanks for reading! 😃</p> security webdev javascript Andy Mon, 27 Jul 2020 15:18:52 +0000 https://dev.to/tappyy/store-array-data-in-keyed-objects-for-better-performance-3ppd https://dev.to/tappyy/store-array-data-in-keyed-objects-for-better-performance-3ppd <p>There are plenty of ways to store client-side data in Javascript and React, not to mention ES6's data structures like <code>Set</code> and <code>Map</code>, but sometimes all you need is a simple object. </p> <p>I use this pattern almost daily in combination with redux and/or context to streamline data access. I want to demonstrate how we can use a keyed-object to increase performance vs. storing data in a typical array.</p> <h1> Problem Example </h1> <p>Let's say we're fetching an array of people from an API to display a list:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">[</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Keanu Reeves</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bad ass</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Elon Musk</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Space cowboy</span><span class="dl">'</span> <span class="p">},</span> <span class="p">...</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Tom Hanks</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Toy cowboy</span><span class="dl">'</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <p>Assuming we store this array somewhere client side, if we wanted to access a particular user by ID, we would need to do something like <code>people.find(x =&gt; x.id === 1)</code>. This has a <strong>time complexity of O(n)</strong> and can be expensive if the array is large.</p> <p><em>O(n) means the larger the array gets, the longer it can take to find what you're looking for! This is because it has to potentially check every item in the array 👎</em></p> <h1> Solution Example </h1> <p>By looping through the results in the API response, we can build a keyed-object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">keyedObject</span> <span class="o">=</span> <span class="p">{};</span> <span class="nx">response</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">person</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">id</span><span class="p">,</span> <span class="p">...</span><span class="nx">rest</span><span class="p">}</span> <span class="o">=</span> <span class="nx">person</span> <span class="nx">keyedObject</span><span class="p">[</span><span class="nx">id</span><span class="p">]</span> <span class="o">=</span> <span class="nx">rest</span> <span class="p">});</span> </code></pre> </div> <h3> Added bonus (looping) </h3> <p>If we need to loop through the data to display a list for example, we can create an array to store the IDs.</p> <p>The final solution might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">keyedObject</span> <span class="o">=</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">ids</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">person</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">id</span><span class="p">,</span> <span class="p">...</span><span class="nx">rest</span><span class="p">}</span> <span class="o">=</span> <span class="nx">person</span> <span class="nx">keyedObject</span><span class="p">[</span><span class="nx">id</span><span class="p">]</span> <span class="o">=</span> <span class="nx">rest</span> <span class="k">return</span> <span class="nx">id</span> <span class="p">});</span> </code></pre> </div> <p>Now we can quickly access our data by ID with <strong>O(1) time complexity</strong> and loop through the data using our <code>ids</code> array.</p> <p><em>O(1) is great for performance because no matter how large the array or object is, we can always go straight to the item we want! 👍</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">keyedObject</span><span class="p">[</span><span class="nx">personId</span><span class="p">].</span><span class="nx">name</span> <span class="kd">const</span> <span class="nx">allNames</span> <span class="o">=</span> <span class="nx">ids</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">id</span> <span class="o">=&gt;</span> <span class="nx">keyedObject</span><span class="p">[</span><span class="nx">id</span><span class="p">].</span><span class="nx">name</span><span class="p">)</span> </code></pre> </div> <p>Thanks for reading! 😃</p> react webdev performance javascript Andy Sun, 26 Jul 2020 16:37:34 +0000 https://dev.to/tappyy/oidc-authentication-with-react-identity-server-4-3h0d https://dev.to/tappyy/oidc-authentication-with-react-identity-server-4-3h0d <p>I put this small demo together with the following objectives:</p> <ul> <li>Authenticate a React app user via Identity Server 4 using OIDC.</li> <li>Store authenticated user details in a central store client side.</li> <li>Have a public and a protected route within the app. Only authenticated users can access protected route.</li> <li>Fetch data from a protected web API using a JWT. Only authenticated users can access the API.</li> </ul> <h1> Basic Architecture </h1> <ul> <li>React app will serve as the customer facing site.</li> <li>Identity Server 4 will implement OpenID Connect and be used to authenticate users.</li> <li>.NET Core API will have a protected enpoint that will serve some doughnut-y goodness 🍩.</li> </ul> <h1> Identity Server 🤖 </h1> <p>Starting with one of the .NET templates provided by Identity Server, we need to configure our client, API resource and test user. For the purpose of this demo I will just create a single client, API resource and test user: Peter Parker 🕷️.</p> <p>The <code>GetClients</code> function of <code>config.cs</code> is configured as follows:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">static</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="n">Client</span><span class="p">&gt;</span> <span class="nf">GetClients</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="k">new</span> <span class="n">Client</span> <span class="p">{</span> <span class="c1">// unique ID for this client</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="s">"wewantdoughnuts"</span><span class="p">,</span> <span class="c1">// human-friendly name displayed in IS</span> <span class="n">ClientName</span> <span class="p">=</span> <span class="s">"We Want Doughnuts"</span><span class="p">,</span> <span class="c1">// URL of client</span> <span class="n">ClientUri</span> <span class="p">=</span> <span class="s">"http://localhost:3000"</span><span class="p">,</span> <span class="c1">// how client will interact with our identity server (Implicit is basic flow for web apps)</span> <span class="n">AllowedGrantTypes</span> <span class="p">=</span> <span class="n">GrantTypes</span><span class="p">.</span><span class="n">Implicit</span><span class="p">,</span> <span class="c1">// don't require client to send secret to token endpoint</span> <span class="n">RequireClientSecret</span> <span class="p">=</span> <span class="k">false</span><span class="p">,</span> <span class="n">RedirectUris</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">// can redirect here after login </span> <span class="s">"http://localhost:3000/signin-oidc"</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// can redirect here after logout</span> <span class="n">PostLogoutRedirectUris</span> <span class="p">=</span> <span class="p">{</span> <span class="s">"http://localhost:3000/signout-oidc"</span> <span class="p">},</span> <span class="c1">// builds CORS policy for javascript clients</span> <span class="n">AllowedCorsOrigins</span> <span class="p">=</span> <span class="p">{</span> <span class="s">"http://localhost:3000"</span> <span class="p">},</span> <span class="c1">// what resources this client can access</span> <span class="n">AllowedScopes</span> <span class="p">=</span> <span class="p">{</span> <span class="s">"openid"</span><span class="p">,</span> <span class="s">"profile"</span><span class="p">,</span> <span class="s">"doughnutapi"</span> <span class="p">},</span> <span class="c1">// client is allowed to receive tokens via browser</span> <span class="n">AllowAccessTokensViaBrowser</span> <span class="p">=</span> <span class="k">true</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Also in <code>config.cs</code>, we can add our web API as a resource in <code>GetApis</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">static</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="n">ApiResource</span><span class="p">&gt;</span> <span class="nf">GetApis</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="n">ApiResource</span><span class="p">[]</span> <span class="p">{</span> <span class="c1">// name and human-friendly name of our API</span> <span class="k">new</span> <span class="nf">ApiResource</span><span class="p">(</span><span class="s">"doughnutapi"</span><span class="p">,</span> <span class="s">"Doughnut API"</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h1> Web API 🕸️ </h1> <p>Our web API will serve up doughnut freshness from behind a protected endpoint. When calling the API from our React app, we will pass a bearer token in the request headers. The API can verify the token and give us what we want.</p> <p>In the .NET Core Web API template project we can add bearer token authentication by adding the following to the <code>ConfigureServices</code> method in <code>Startup.cs</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="n">services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">,</span> <span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="c1">// URL of our identity server</span> <span class="n">options</span><span class="p">.</span><span class="n">Authority</span> <span class="p">=</span> <span class="s">"https://localhost:5001"</span><span class="p">;</span> <span class="c1">// HTTPS required for the authority (defaults to true but disabled for development).</span> <span class="n">options</span><span class="p">.</span><span class="n">RequireHttpsMetadata</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="c1">// the name of this API - note: matches the API resource name configured above</span> <span class="n">options</span><span class="p">.</span><span class="n">Audience</span> <span class="p">=</span> <span class="s">"doughnutapi"</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>Next, we can add the middleware to the app by adding <code>app.UseAuthentication()</code> to the <code>Configure</code> method of <code>Startup.cs</code>. This allows authentication to be performed on every request. </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configure</span><span class="p">(</span><span class="n">IApplicationBuilder</span> <span class="n">app</span><span class="p">,</span> <span class="n">IHostingEnvironment</span> <span class="n">env</span><span class="p">)</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCors</span><span class="p">(</span><span class="n">builder</span> <span class="p">=&gt;</span> <span class="n">builder</span> <span class="p">.</span><span class="nf">WithOrigins</span><span class="p">(</span><span class="s">"http://localhost:3000"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AllowAnyHeader</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyMethod</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowCredentials</span><span class="p">()</span> <span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseMvc</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">env</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseDeveloperExceptionPage</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="n">context</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="nf">WriteAsync</span><span class="p">(</span><span class="s">"Doughnut API is running!"</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h1> React SPA 👾 </h1> <p>We can use Create React App to spin up a quick React project. From there, we can add our components and services for authenticating a user.</p> <h3> userService.js </h3> <p>We are using IdentityModel's <code>oidc-client</code> to implement our OIDC flow in React. I've created a <code>userService</code> that will abstract all functionality relating to OIDC and user management. <code>oidc-client</code> exposes a <code>UserManager</code> class that requires a config object: </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// the URL of our identity server</span> <span class="na">authority</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://localhost:5001</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// this ID maps to the client ID in the identity client configuration</span> <span class="na">client_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">wewantdoughnuts</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// URL to redirect to after login</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3000/signin-oidc</span><span class="dl">"</span><span class="p">,</span> <span class="na">response_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">id_token token</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// the scopes or resources we would like access to</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openid profile doughnutapi</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// URL to redirect to after logout</span> <span class="na">post_logout_redirect_uri</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3000/signout-oidc</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// initialise!</span> <span class="kd">const</span> <span class="nx">userManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserManager</span><span class="p">(</span><span class="nx">config</span><span class="p">)</span> </code></pre> </div> <p><code>userService.js</code> exports various functions that use the <code>userManager</code> class created above.</p> <h3> Initiating OIDC flow </h3> <p>Using <code>userService.signinRedirect()</code>, we can initiate the OIDC login flow. This will redirect the user to the login screen of Identity Server, and once authenticated, will redirect them back to the <code>redirect_uri</code> provided when configuring the <code>UserManager</code> class.</p> <h3> Callback Routes </h3> <p>For the simplicity of this demo, 2 callback routes have been configured: <code>/signin-oidc</code> and <code>/signout-oidc</code>. </p> <p>Once the user has logged in, they are redirected to <code>/signin-oidc</code> on the client. On page load, <code>userService.signinRedirectCallback()</code> will process the response from the OIDC authentication process. Once complete, the user is redirected to the home page and authentication has been successful! Yay!</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">function</span> <span class="nf">SigninOidc</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">history</span> <span class="o">=</span> <span class="nf">useHistory</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">signinAsync</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">signinRedirectCallback</span><span class="p">()</span> <span class="c1">// redirect user to home page</span> <span class="nx">history</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">signinAsync</span><span class="p">()</span> <span class="p">},</span> <span class="p">[</span><span class="nx">history</span><span class="p">])</span> </code></pre> </div> <p>Similarly, when the user logs out they are redirected to Identity Server to confirm logout then back to <code>/signout-oidc</code> on the client. This is where we can do any further actions such as redirecting the user to a 'Logout Successful!' page.</p> <h3> AuthProvider </h3> <p>Inspired by this <a href="https://medium.com/@franciscopa91/how-to-implement-oidc-authentication-with-react-context-api-and-react-router-205e13f2d49" rel="noopener noreferrer">Medium article</a> on implementing OIDC in React, I used React Context to create an <code>AuthProvider</code> to wrap all components of the app. I'm only using this to handle events triggered in our <code>userManager</code> class:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">userManager</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">addUserLoaded</span><span class="p">(</span><span class="nx">onUserLoaded</span><span class="p">)</span> <span class="nx">userManager</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">addUserUnloaded</span><span class="p">(</span><span class="nx">onUserUnloaded</span><span class="p">)</span> <span class="nx">userManager</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">addAccessTokenExpiring</span><span class="p">(</span><span class="nx">onAccessTokenExpiring</span><span class="p">)</span> <span class="nx">userManager</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">addAccessTokenExpired</span><span class="p">(</span><span class="nx">onAccessTokenExpired</span><span class="p">)</span> <span class="nx">userManager</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">addUserSignedOut</span><span class="p">(</span><span class="nx">onUserSignedOut</span><span class="p">)</span> </code></pre> </div> <p>The <code>UserLoaded</code> event is used to store the user object from Identity Server in Redux. This user object includes an access token which is added to the authorization header in axios. </p> <h1> We're done! 👊 </h1> <p>A user of our React app can successfully authenticate via Identity Server and call our web API to get some doughnut-y goodness!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fad2c55gld7quk155umzm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fad2c55gld7quk155umzm.png" alt="React app home page"></a></p> <p>This doesn't implement more advanced features such as silently renewing tokens but it does serve as a demonstration of adding OIDC to a React app.</p> <p>Feel free to clone the <a href="https://github.com/tappyy/react-IS4-auth-demo" rel="noopener noreferrer">Github repo</a> and have a poke around the demo and source code. PRs also welcome!</p> <h3> Further Reading 📖 </h3> <p>Some useful links that are related to this post 😃</p> <ul> <li><a href="http://docs.identityserver.io/en/latest/index.html" rel="noopener noreferrer">Identity Server Documentation</a></li> <li><a href="https://github.com/IdentityModel/oidc-client-js" rel="noopener noreferrer">oidc-client-js Github</a></li> </ul> react security csharp javascript