Blog | G5 Cyber Security

Secure Internet Access: No User Data Storage

G5 Cyber Security

TL;DR

Allow users to access your service over the internet without storing their passwords or personal details on your servers. Use a trusted Identity Provider (IdP) like Google, Facebook, or Okta for authentication and OAuth 2.0/OpenID Connect for authorization.

Solution Guide

  1. Choose an Identity Provider (IdP): Select a well-known IdP that your users likely already have accounts with. Popular choices include:
    • Google
    • Facebook
    • Okta
    • Microsoft Azure AD

    Consider factors like user demographics, security reputation, and ease of integration.

  2. Register Your Application with the IdP: Each IdP has a developer portal where you register your application. This process will provide you with:
    • Client ID: A unique identifier for your application.
    • Client Secret: A confidential key used to authenticate your application (keep this secure!).
    • Redirect URI(s): The URL(s) where the IdP will send users after authentication. This must match exactly what you configure in your application.
  3. Implement OAuth 2.0/OpenID Connect: Use a suitable library or framework for your programming language to handle the OAuth 2.0 flow.
    • Initiate Authentication: Redirect the user to the IdP’s authorization endpoint. This URL will include your Client ID, Redirect URI, and requested scopes (permissions).
    • Handle the Callback: After successful authentication, the IdP redirects the user back to your Redirect URI with an authorization code.
    • Exchange Code for Tokens: Your application exchanges the authorization code for access tokens (and potentially refresh tokens). 
      POST /token
      { "grant_type": "authorization_code", "code": "AUTHORIZATION_CODE", "redirect_uri": "YOUR_REDIRECT_URI", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET" }
    • Validate the ID Token (OpenID Connect): If using OpenID Connect, validate the ID token to verify the user’s identity.
  4. Securely Store Access Tokens: Do not store access tokens in cookies or local storage on the client-side. Use server-side sessions.
  5. Authorize Access Based on Scopes: When a user requests access to protected resources, check if they have the necessary scopes (permissions) granted by the IdP.
    • Example: If a resource requires “profile” scope, verify that the access token includes this scope.
  6. Refresh Tokens (Optional): Use refresh tokens to obtain new access tokens without requiring the user to re-authenticate frequently.
    • Store refresh tokens securely on your server.
    • Implement a mechanism to revoke refresh tokens if necessary.
  7. Protect Your Client Secret: Never expose your client secret in client-side code or public repositories.
  8. HTTPS Only: Ensure all communication between your application and the IdP is over HTTPS to protect sensitive data.
Exit mobile version