0

Another site is embedding my app (Laravel + Vue SPA) in an iframe. After the other site sends my app the user's information server-side, I create a JWT for that user (all server side) to be used on my site for authentication. I then pass the information back to the browser to log in the user. I've read that passing back the JWT in the URL isn't secure, so my plan is to:

  1. Store the JWT in my database and just send the index back to the client
  2. Put the key in localStorage (while in the iframe of the other site)
  3. Allow the user to open my site in a new window, then use the key to query my database, get the JWT and log in the user (I was having issues keeping the user logged in when opening the new window which is why I'm going through this process)
  4. I then refresh the JWT, delete the old JWT from my database and delete the index from localStorage.

Does this sound like a secure approach?

Eric
  • 1,209
  • 1
  • 17
  • 34
  • If you're gonna do step 1 and 2 then why use JWT at all ? You need to send the JWT in the headers when requesting something from your app. Even if your app is in an iframe, the user still have a persistent session via cookies/local storage. i dont see the issue you're facing and your question is kinda opinion based. – N69S Apr 01 '22 at 14:30
  • When my app is not in an iframe, my approach is to send the JWT in the headers. The problem that I was having was that when going from an iframe in the other app to loading it in a new window, my app was losing the JWT. And I would have saved the jwt in local storage on the first request before loading in a new window, but was unsure if that was secure. – Eric Apr 01 '22 at 14:57
  • it's as secure as it can be. – N69S Apr 01 '22 at 15:37
  • Do you mean to say that it's as secure as whatever my normal non-iframe implementation is? (i.e my normal non-iframe approach of just sending the JWT in the headers) – Eric Apr 01 '22 at 17:15

0 Answers0