1

I have implemented json web service in java(server) and client is in pure javascript. It is possible to authenticate web service call from javascript? I know that is standard to use private key on both sides, but javascript is public, so this is not very secure :)

I already checked this: Authorization and Authentication to REST API from JavaScript Client and read lot of information on internet, but it seems to be impossible to authenticate from javascript (code is visible)

Thanks a lot!

Community
  • 1
  • 1
Maros2710
  • 51
  • 2
  • 7

2 Answers2

0

Yes, you can but there are some things to be aware of. Once the user of your JS application is authenticated, you can store them within the local storage. Then you can use them within your request. Be careful of possible XSS attacks.

Here are some links that can help you:

Hope it helps you, Thierry

Community
  • 1
  • 1
Thierry Templier
  • 198,364
  • 44
  • 396
  • 360
0

As you mention, storing confidential credentials in the browser is a bad idea (due to XSS vulnerabilities). HTTPS-Only cookies are the most secure way to store an authentication token on the client (to minimize XSS attacks) but you'll need to setup a CSRF prevention strategy as well.

Here's an article I've written that discusses the details in greater depth:

Token Based Authentication for Single Page Apps

Disclaimer: I work at Stormpath

robertjd
  • 4,723
  • 1
  • 25
  • 29
  • Can't the json encoding process for a JWT token be viewed by anyone by just clicking on inspect element in chrome? – Erik Thiart Jan 28 '19 at 06:45