Best way to handle discord oauth2 with JWT's in springboot webflux
Im tring to implement discord oauth2 with jwt's, i already have something working but i don't know if im doing something unsafe, i searched online and there are so many ways to do it, and a lot of the stuff i found it's old. And i currently don't know how to add the csfr-token.
27 Replies
β This post has been reserved for your question.
Hey @TheoreticalTraining! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.show how you currently have it
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.The code is pretty long sending every class, is it possible to get in a call maybe?
ancient rule of programming helping says no talking
only text
not always right ngl. Ik had a bunch of times where it was worth it and has be done but in a case like this? how many files is it gonna be 5? 10? nothing too crazy or complicated. just give us the files.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.This should be everything related to out i coded so far https://pastebin.com/zXuCZeWH
Pastebin
@Componentpublic class JwtReactiveAuthenticationManager implements ...
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, s post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.I'll take a look at it for you
Your implementation is solid
You have to setup a JWT Blacklist for invalidated JWT tokens but except for that it's pretty solid.
You can prevent CSRF Attacks by either sending a CSRF Token via a custom GET route
/api/v1/csrf.
And making it mandatory to set the X-CSRF header or body property on POST/PUT/DELETE requests.
Or.. a simpler approach would be to store JWT in localStorage instead of as a cookie.
You'd then manually (or using request interceptor from frontend) include an "Authentication" header on each request.
It'd also prevent CSRF Attacksπ€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.But i don't think i undestoon this csfr tokens, are they just tokens generated on the first login and saved on a db with the jwt and on every request it checks if the csfr token corrisponds to the jwt?
They are generated uniquely for every request that updates or changes some state within the server.
Let's say you have an endpoint to send email to people
You'd have to implement CSRF for that
You'd basically generate a CSRF token everytime before you make a POST/PUT/DELETE request to the backend
And how does it check if the request is authorized or not?
And then include the CSRF token as a header or the request body for the server to check
You'd still need to use JWT for that
So by checking the signature on it?
Yes. You'd also verify the JWT Token at every request
If server has an endpoint that deals with critical stuff (like creating/deleting users) you'd need to verify both the JWT and the CSRF
So to recap, before making any request from the frontend i should create a new JWT add some info about the request in it, sign it and set it as the csfr cookie, and send it in the request with the session token and in the backend just check his signature and data to check if the request is valid?
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.No...
You don't need to regenerate JWT.
Basically. Before making any request from frontend, you should make frontend make request to
/api/csrf to get a CSRF Token that's tied to your JWTToken through an in-memory cache. (private static Map<CSRFTokenString, JWTEntity>)
And in each POST/PUT/DELETE request, you should checkHeader("X-CSRF-TOKEN") != null.
And also val jwt = Map<CSRF... Entity>.getOrReturn(getHeader("X-CSRF-TOKEN") and then check jwt.equals(getJWTFromCookieOrHeader("Authorization").Using a
Map to store CSRF tokens associated with JWTs kinda defeats the point of JWTs
at that point, you can also use a hash of the JWT or similar
or even the JWT or just the signature itselfIt was just meant to provide the theory
Normally you'd use the hash or the signature
I personally just don't use csrf at all (in most of the cases)
Just store the jwt in browser local storage
And then inject it as a header in each request via an request intercepter
there's reason for and against it - some people care about having it in a HttpOnly cookie and then e.g. use the hash as a CSRF token
That can be an additional protection against token stealing in some cases
I guess it also depends on what type of content you serve
There are a bunch of ways of protecting from CSRF π
If I'm working on the admin dashboard or an internal tooling that doesn't have the risk of XSS, I will probably just use the local storage.
This way the backend API (if rest) can be easily decoupled from the browser and other security stuff, and I can just use the API for CLI authentication or communication between other services.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
π€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.