Will this Authentication/Authorization Architecture for Microservices work?
I'm designing a microservices-based architecture. The architecture should support multiple devices accessing the API.
In order to secure the internal Resource APIs, I wanted to implement authentication and authorization based on JWTs and Refresh Tokens.
My requirements are:
- Preventing an attacker from using XSS to steal the user's token
- Preventing CSRF attacks
- In-bounds security: even if the attacker can send requests to the internal Resource APIs, he can't do anything without a signed JWT
- Managing users (Authentication and Permissions) via a single internal Users API
- The tokens can be revoked at any time
- Support Multi-Factor Authentication via TOPT
This is what I came with:
Few details:
- The JWTs are really short-lived (30 seconds)
- The Internal API Gateway will include an endpoint (login) for converting username, password, and TOPT passcode to a new refresh token via the Users API.
Will this architecture actually work? will it be secure? Thank you very much! 😊
Tokens are actually harder to secure from JavaScript than pure cookies that we have several mature ways to protect from JavaScript (like Secure, HttpOnly, SameSite...).
I think you should keep your architecture less complex by using the same technique everywhere for both mobile and browsers. As both types are considered to be insecure public clients.
also, a hint, it can be interesting for you to explore how existing application deal with this using a tool like Fiddler to capture all the mobile traffic and explore how they deal with login, session and signout.
see https://docs.telerik.com/fiddler/configure-fiddler/tasks/configureforios
- How to make copilot not leak secret credentials with Neovim plugin?
- Does the client knowing all the endpoint names pose a security risk?
- Securing a client-side API
- How to disable security in Quarkus
- SNC name of ABAP System
- Is MD5 a good way to generate account verification code
- Is there any relationship between Secure Boot and Kernel Lockdown?
- CryptographicException: Access denied - How to give access on User store?
- How to use an API from my mobile app without someone stealing the token
- Symfony security component - Unable to find key \"username\" in the token payload
- Is it a good praxis to secure an webservice endpoint with a simple token string?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- Are there CSRF attacks that don't use cookies?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- vulnerable Tomcat 10.1.31 embedded in Artifactory 7.98.13
- Why CSRF token should be in meta tag and in cookie?
- How can I prevent SQL injection in PHP?
- How/why is login page redirect required?
- Do Electron apps enforce CORS restrictions in the renderer process?
- How can i use a reverse shell over global Internet?
- Should I Manually Patch the Pandas DataFrame.query() Vulnerability or Wait for an Official Update?
- C# - Securely storing a password locally
- how to secure keys for API calls from android device to amazon services
- Should I add application.properties to .gitignore if the Git repository is private and both the server and DB are on an internal network?
- Understanding the port numbers of a network connection strings in systemd output of an ubuntu device
- Disable firefox same origin policy
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Securely decoding a Base64 character array in Java
- Is There a Security Risk Using ADB Over TCP/IP for Wireless App Development in Expo?
- Is it a good idea to distribute docker image containing my selfsigned certificate?