Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
Even the first suggestion can be dangerous, since cookies are not safe by default. You need to make sure to use SameSite=Strict, and not every browser current supports that flag.
Additionally, there are some problems with even doing that though, because it means you can't actually use the token to do anything valuable by interacting with other domains. For instance, let's say you want to take your access token and use it to access other services which also support OIDC JWT complaint access tokens. Your app needs to have access to them. Which means cookies won't work because they won't send them cross domain. Take Authress for example which handles user permissions. You can take the access token from the UI and send it to Authress, and where the token will be verified for authenticity before granting permissions. While you can store it in cookies, doing so without protections is both unsafe and feature limiting.
Hi Warren, thanks for the insight! I just started with security, hence don't know much in detail. I just shared what I learned (till now). I've added your comment in the article so that others can check.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Even the first suggestion can be dangerous, since cookies are not safe by default. You need to make sure to use
SameSite=Strict
, and not every browser current supports that flag.Additionally, there are some problems with even doing that though, because it means you can't actually use the token to do anything valuable by interacting with other domains. For instance, let's say you want to take your access token and use it to access other services which also support OIDC JWT complaint access tokens. Your app needs to have access to them. Which means cookies won't work because they won't send them cross domain. Take Authress for example which handles user permissions. You can take the access token from the UI and send it to Authress, and where the token will be verified for authenticity before granting permissions. While you can store it in cookies, doing so without protections is both unsafe and feature limiting.
Hi Warren, thanks for the insight! I just started with security, hence don't know much in detail. I just shared what I learned (till now). I've added your comment in the article so that others can check.