2

I'm struggling with setting up reliable and performant solution to communicate frontend with different microservices. I do not really now how to maintain (maybe not need) CSRF between my frontend and end services

Solutions stack: PHP, Laravel Passport, JWT, oAuth 2.0, Axios

Current approach: Actually I've started up with approach from Laravel's passport https://laravel.com/docs/5.4/passport#consuming-your-api-with-javascript

  1. Using oAuth 2.0 to authorize user from website A to service B. JWT token is returned for further communication.
  2. Token is saved in cookie within website A
  3. Once user is authorized website A uses JWT token to manage requests without additional to oAuth server, by sending JWT token as cookie using HTTP headers (withCredentials) to authorize user.
  4. For each website A's request there was CSRF token created from service B since user is authorized and cookie could be applied by another unauthorized website to access service B. That was killing my performance since it has to retrieve CSRF for each request made. (that what I actually assume from laravel passport approach and need to create CSRF with JWT token - maybe that was mistake)

My concerns:

Regarding to of James Ward post: http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services

The easiest way to do authentication without risking CSRF vulnerabilities is to simply avoid using cookies to identify the user.

Cookies themselves are not the cause of CSRF vulnerabilities. It’s using the cookies on the server to validate a user that is the cause of CSRF. Just putting an authentication token into a cookie doesn’t mean it must be used as the mechanism to identify the user.

From my understanding setting JWT with website A's cookie with its domain set could not be accessed via any other site from outside. Since that there is no possible way to make request to service B without accessing JWT.

So do we really need CSRF then to secure potential attack to service B while using JWT?

If so, how could I achieve the best (in term of performant) way to generate CSRF through different services to be sure that communication would not be vulnerable for attack from different sites?

Any advice will be appreciated!

Rafał Łyczkowski
  • 995
  • 2
  • 11
  • 27
  • 1
    Read http://stackoverflow.com/q/21357182/2575224 – Constantin Galbenu May 06 '17 at 04:49
  • Not in your stack, Spring Cloud Netflix has solutions for a lot of these problems. At least a read about their approach might help. – code May 06 '17 at 06:29
  • Thank you for response and resources. I feel like there is always something and hard to find a good full stacked solution to communicate between microservices. I've updated my concerns with some quote from James Ward's blog post which is actually good to understand – Rafał Łyczkowski May 07 '17 at 21:38

0 Answers0