locked
OAUTH-Identity server4-JWT cookie issue RRS feed

  • Question

  • User2048898515 posted

    Hi Team,
    We are planning to use Identity server for our company Authentication and Authorization. My company security analyst have following questions.
    1.He told that as part of security (GDPR) we should not store the JWT token in Cookies because it is vulnerable to CSS (Cross site scripting) or CSRF (cross-site request forgery).
    2.Is it possible to avoid cookies in Identity server?
    3.What are all the security measures need to have if we have to use cookies?

    Friday, August 24, 2018 10:39 AM

All replies

  • User475983607 posted

    You are asking the wrong audience but your first step is learning.   The way you've asked the question indicates that you do not understand the security vulnerabilities or how Identity server works.  The first is learning the technology.  That will allow you communicate with your security analyst. 

    1.He told that as part of security (GDPR) we should not store the JWT token in Cookies because it is vulnerable to CSS (Cross site scripting) or CSRF (cross-site request forgery).

    Authentication cookies is the standard authorization container for a user-agent - the browser.  The security vulnerabilities mentioned are not specific to IdentityServer4.  Standard solutions exists and are only published on this site.  Start by reading the support docs so you understand the vulnerability and the solutions.

    https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.1

    https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1

    2.Is it possible to avoid cookies in Identity server?

    It depends on what you're securing and who the client is.  If the client is a user-agent like a browser then Auth Cookies persist the results of the authentication.  The contents of an Authentication Cookie are claims about the user.  The fact that the Auth Cookie exists is proof enough that the user is authorized to use the site.

    If the client is code then there is no cookie because a cookie is a browser feature..  The client in this case is responsible for handling the token.   The client knows how to validate the token and uses the token to request secured resource like API endpoints.

    What I'm describing is very basic.  There are several flows that you must understand.  Reading the IdentityServer4 doc is a good place to start.

    http://docs.identityserver.io/en/release/

    3.What are all the security measures need to have if we have to use cookies?

    You need to learn the basics.  Start by reading the links above.

    Friday, August 24, 2018 11:34 AM