JWT authentication using cookies with KONG API Gateway

Question

We are implementing a sample application using Kong API gateway with JWT authentication plugin.

As refer in this thread, there are two ways to store JWT in the browser. Web storage or cookies. But web storage (i.e. session storage and local storage) can be vulnerable to cross-site scripting attack(XSS). So other option is cookie. (Though CSRF should be taken care off)

I have two questions,

If we use web storage to store JWT then is there any way to stop XSS. If yes then how it will work if the same page is open in the new tab or reload the same page ?
Using cookie: We are able to send the cookies in the request. But KONG is authenticating the end point URL only if the JWT is set on headers (Authorisation: Bearer token) and not authenticating using cookies. Is there any way to verify JWT which is set in cookies using KONG API Gateway ?

score 2 · Answer 1 · edited Oct 07 '21 at 11:02

2

There is nothing wrong about storing JWT in webStorage, unless you store sensitive data in your JWT (but you should never ever do that, since you can decode it easily). The point is that your token shares a secret, that only your servers knows (that's what makes it secure), you should just put an expiration time to make it a lot safer.

And no, you cannot pass a JWT token in cookies, it's only in headers (here Authorization), I don't know about KONG API, but they should not allow that !

(ref about JWT is here)

edited Oct 07 '21 at 11:02

Community

1
1

answered Sep 18 '17 at 13:24

antoine2vey

96
1
6

Thanks for your quick reply. Yes you are right. But we are developing single page application, so how can I handle the reload/refresh page scenario? If suppose I open new tab then how to pass JWT in the HTTP request (which is stored in web storage) – Sanket Gandhi Sep 18 '17 at 13:33
So you should try `localStorage` instead of `webStorage`, `localStorage` is persistent on a domain and is resistant to page reload/refresh ! You just need to pass the JWT one time to your client (at login or whatever), and save it to your `localStorage` – antoine2vey Sep 18 '17 at 13:42
Thanks. So how to send back token from local storage to HTTP request. We know local storage is persistent on a domain. But the concern is passing the JWT token to HTTP request. – Sanket Gandhi Sep 18 '17 at 13:53
I don't know, it depends on which manner you do your http requests (with `axios`, `fetch` ?) – antoine2vey Sep 18 '17 at 14:03
Simply, I'm copying the URL from first tab for e.g. `http://localhost:3000` and pasting in the new tab. So my application is getting redirect to login instead of going forward. What I want is when I paste the URL to the new tab and hit enter key then it should pass token in the request. Hope this will understand my concern. – Sanket Gandhi Sep 18 '17 at 14:06

score 1 · Answer 2 · answered Sep 26 '17 at 23:19

1

In order to add to @antoine2vey answer,

It looks like your on page application is being served from a protected API in Kong at the "/" (slash) resource. I would suggest that you would be able to get the page content from an unprotected "/" (slash) resource and then run javascript code would have access to the cookie and would be able to perform the request to the protected resource passing the JWT token in the header where Kong would be able to validate for you.

Does this make sense?

answered Sep 26 '17 at 23:19

Guilherme Antunes

41
4

Hey, thanks for the response. I'll look into it once. Right now I have made changes in kong's code to accept the cookies (https://github.com/Mashape/kong/pull/2363) and it's running. – Sanket Gandhi Oct 11 '17 at 04:24

score 0 · Accepted Answer · answered Nov 08 '17 at 07:21

0

Cookie based authentication is implemented. https://github.com/Kong/kong/pull/2973

answered Nov 08 '17 at 07:21

Sanket Gandhi

170
3
16

JWT authentication using cookies with KONG API Gateway

3 Answers3