Web Application Security (WAS) is very much in the news and securing applications using authentication and authorization requires more thought than a few years ago and insecure APIs and websites are all over the internet. The recent Facebook hack (https://thehackernews.com/2018/10/hack-facebook-account.html) compromised not only the account passwords but also 2-factor authentication associated devices and widely used Login With Facebook, a popular implementation of Single Sign On (SSO) rapidly becoming the de rigour method of using the web. There are, however, old and new standards widely used and, whilst, use of cookies in security code by developers is definitely a no go area these days, Json Web Tokens (JWT) are widely used in Single Sign On nowadays, because of its small overhead and its ability to be easily used across different domains and these are used already in the aurelia-authentication package. JWT tokens are presented in an Authorize header as a Bearer token in the request which is specially handled by the backend application server. One may wish to disable Login With Facebook, for example, or any other 3rd party authentication/authorization software as a service by quick configuration change when such a hack occurs in future
Our Aurelia application use Net Core 2.1, protected by default, and therefore Microsoft Identity using Claims is implemented as standard solution though this does not cover out of the box all that is necessary to implement a secure Single Sign On capability. This would be extremely useful where other Aurelia and non-Aurelia applications are managed in the Enterprise. The Microsoft Identity essentially changes the Aurelia Single Page Application (SPA) into a multi page application secured by their system using login challenge on a protected route and authentication/authorization occur when the credentials are presented. Clearly, the Login, Logout, Access Denied, Forgot Password pages remain unprotected which is fine since Net Core Identity is inherently secure whilst the Net Core framework handles challenge results, cookies, session state etc. These pages can be easily customised so the Forgot Password page could quickly be authorised to stop forgotten passwords being changed if needed.
The only open source package which appears to cover satisfactory Single Sign On is IdentityServer4 which uses OpenId Connect and OAuth2 to handle the necessary tokens for a range of flows (eg authorization code flow, implicit flow, hybrid flow) and writing these into an application can be problematic. Has any one done this yet? Does it work?
2 Likes
Hello @iovergard
I am preparing a blog post about this topic, how to configure IdentityServer4, and how to use aurelia-openid-connect plugin, by Mr. Shaun Luttin, to communicate with the server. The post covers all the basic requirements to make your aurelia application secure. The sample source code is almost ready, just need a couple of days to work on the post and publish it.
It is also worthy to note that I have plans to write an Aurelia-based admin panel for IdentityServer; hence, every recommendation will be taken into account.
3 Likes
I use Auth0. It’s pretty straightforward to integrate into aurelia.
2 Likes
Use quick app for angular and don’t use angular. Has excellent boiler for all security.
Take a look.
1 Like
I concur Auth0 can and does work in almost all scenarios. However, I don’t like the idea of using Auth0 since it is requires a subscription. The subscription model could become uncompetitive especially if the company is very successful and becomes a monopoly. Conversely if the company goes bust so, of course, do all the Single Sign Ons
I like the look of that. Use an angular template and don’t use angular. Passionate about Aurelia here 
Hi @lvparkington
I just published a blog post, it’s all basics of how to start quickly for IdentityServer with Aurelia, I’ll be more than happy to have your feedback.
1 Like
Thanks for this. I’ll take a look but work machine has been locked down and dotnet new and many other needed features are not working. Since starting from Net Core 2.1 we used Microsoft Identity to launch Aurelia from Home Page upon successful authentication since protected by [Authorize] attribute without need to have a second set of authentication at the Aurelia level. It is a multi page MVC application with Aurelia SPA running on the Home page where the Identity pages are available using MVC router and Aurelia won’t load if unauthenticated. For good measure added the User Claims are read from the app.ts and if there are none (for example if this [Authorize] is removed), then no Aurelia routes are created
1 Like
Nice, This would be useful when all of your routes required to be authorized in one way or the other, and you do not need an SSO approach. right?
We’ve taken an agile approach so added in functionality when required. Single Sign On (SSO) would mean one way to login or registration of authentication options in the logical sense so not happy configuring “Login With Facebook” for example. We want full source control over it and the best bits of Identity combined with SSO so not really happy using a 3rd party subscription service for the most important functionality of the application - ensuring authentication/authorization/auditing at a time when many internet web applications remain insecure. In 2018, for example, 80% of web hosted applications have substandard TLS/SSL configuration and 90% do not have 2 factor authentication implemented.(https://betanews.com/2018/10/24/web-app-company-vulnerability/)
1 Like