Home > Mobile >  Pitfalls of securing web APIs with cookie for public clients
Pitfalls of securing web APIs with cookie for public clients

Time:09-17

I am mid-way of implementing oidc/pkce implicit authorization flow in my asp.net core rest web api for a public JS client.

I almost understand how this works, but I can't exacly understand what are the biggest issues with another approach - if I were to use the default cookie (or session) authentication provided by ASP Identity.

I find it hard to google this topic. Can I please ask for some hints / pointers to articles?

CodePudding user response:

Plain cookie authentication is still used, even when you use token based authentication.

After the OpenIDConnect client receives the final tokens, it will by default create a classic session token that contains the user details and claims. Optionally you can also store the ID/Access/Refresh tokens inside this cookie.

The cookie is encrypted so it can't be tampered or hacked.

The benefit of using OpenIDConnect is when you have multiple clients and/or API's involved and you want a standardized way to handle this. Doing the plain cookie approach with many different services is hard to make secure.

Page link:https//www.codepudding.com/Mobile/115711.html

Prev:Angular get data from http put [closed]
Next:ServiceStack - validate json data before it is mapped to a DTO
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding