Authentication plugins and building a secure app


#1

Hey guys,
I’ve been looking into how to secure my application. I looked at aurelia-authentication (by spoonx) plugin but it seems to be more geared toward OpenID or OAuth2 services that you purchase or facebook/google logins.

I’m looking for isolated security (no reliance on other services). So things I’m trying to research about which avenue to go down:

  1. Implementing OAuth2 in your own custom backend, being able to choose the type of OAuth2 (or a few main ones), or perhaps utilizing JWT, localStorage etc. (perhaps utilizing aurelia-store) without having to reinvent everything by implementing it yourself.
  2. Other aurelia implementations or plugins that are not OAuth 2.0 but something to research?
  3. Just secure your app yourself, implement hashing backend for passwords or client-certificate checks or hardware token checks yourself with your webserver, then fetch protected information, including navigation (authorize pipeline step), only after everything has been securely checked.

Thoughts? Has anyone done anything interesting with their app to secure it? I’m just here for stories.


#2

Just for the record, spoonx plugin is aurelia-authentication.

As for the auth in general, it allows for custom made auth via jwt tokens as well as any iaas platforms. It really depends on what your employer/client and their consultants want.

For smaller clients, in our asp.net core app I’m using jwt tokens signed with a selfsigned certificate. For a bigger client, I’m integrating with azure ad b2c (auth0 competitor). In both cases the plugin works just fine with some variations regarding refreshing a token - it’s more manual with Azure.


#3

I decided right off there was no way I could create a secure authentication system and decided to look for something that was mostly turnkey. I looked at a handful of them, but ended up with Auth0 as it was free for thousands of accounts, and had the ability to be integrated into Aurelia.

So far, it has been a good decision.

That said, as with many free services, eventually they change (Google Maps anyone?) and you need to eventually plan on how to handle that (which I have not yet done)


#4

Shaun luttin OpenId Connect is one of the best plugin you can use with Aurelia to connect with OpenIddict, IdentityServer4, etc.


#5

To add a bit more detail, for the back end I’d use something pre-built. My preferences are typically:

If possible use a cloud based authentication/authorization provider like Auth0 or AzureAD. These should allow you to create users which have associated claims. Users should then be able to log in using either a pre-existing account like (Microsoft Account, Twitter, or similar) to acquire a JSON Web Token or JWT. Typically the JWT will store the claims (what the user has permission to do).

The workflow is as follows:

1. Aurelia login page posts to the authentication provider to acquire a token.
This would look something like:

  logIn(userName, password){

    return this.http.fetch('token', {
            method: 'post',
            body: json({name: userName, password : password})
        })
        .then(response => response.json())
        .then(tokenResult => {
            if(tokenResult.success) window.localStorage.setItem("token", tokenResult.token);
            return tokenResult;
        })
        .catch(error => {
            console.log('Error retrieving token');
        });
}

In this example, I post the username and password which have been received from a login form view-model via data-binding. The workflow would be slightly different if you were using an identity provider.

2. The authorization header
This token would then typically be attached to the header on each request that requests authorization.

   get tokenInterceptor(){
    let auth = this;
    return {
        request(request) {
            let token = auth.getToken();
            if(token){
                request.headers.append('authorization', `bearer ${token}`);
            }
            return request; 
        }
    }
}

The back end would then receive the request with the authorization header and verify that the that the token hadn’t been tampered with, and that the user had access to the specified resource. The back end module responsible for performing this verification would either be something like ASP.NET Core identity if you want to build it yourself, or one of the authentication providers I mentioned earlier.

3. Redirecting the user client side
The other piece of the puzzle is determining whether you should allow users to visit a page client side. You can do this by decoding the token, examining the claims, and either showing the page, or redirecting the user to an appropriate error page.

You can do this by implementing an authorization step in the routing pipeline, which would look something like this:

  import {Redirect} from 'aurelia-router';

  export class AuthorizeStep {

  constructor(authService){
    this.authService = authService;
  }

  run(navigationInstruction, next) {
    if (navigationInstruction.getAllInstructions().some(i => i.config.settings.auth)) {
      
      if (!this.authService.isLoggedIn()) {
        return next.cancel(new Redirect('login'));
      }
    }

    return next();
  }
}

4. Hiding navigation links
If you want to take it a step further, you could then also decide which links a user should see based on their claims using a value converter.

If you’re interested you can check out a complete sample implementation of this authentication pattern here.


#6

We used Microsoft Identity for Net Core applications which are, of course, multipage (login, logout, register), but using the Aurelia SPA fired from the Home Page (or landing page for other Aurelia SPAs). Authorization performed using Claims before generating the authorized routes during start up. No need for additional complexity involving explicit tokens :slight_smile:


#7

Shaun Luttin no longer maintains aurelia-open-id-connect and it’s been moved to aurelia-contrib where it (very expectedly) hasn’t seen any real development…


#8

Just wondering if anyone has Identity Server working with Single Sign On for a number of Aurelia SPAs (Net Core ones would most probably be MPAs (multi page applications) if using database for authentication/authorization)? Or a gihub repo? Preferring not to program it all from scratch :slight_smile:


#9

I think it was updated couple of months before and the sample is also used for openididict


#10

It very seldom receives updates and Shaun has said that he doesn’t have the time for it multiple times throughout the issues reported on GitHub. So bugs take months to get fixed unless you’re feeling charitable and contribute with pull-requests.

Simply put, I do still use it for hobby projects but I wouldn’t use it on one at work. The situation is the same as with other non-official Aurelia plugins.


#11

It was for Net Core 2.0 and it worked well. I tried it with Net Core 2.1 but couldn’t get it to work correctly with supplied examples or our own projects. Do we know if it will be updated soon? Net Core 2.2 is on the horizon and each version does things sufficiently differently to be no longer backwords compatible for security functionality (ie authentication/authorization)