W
W
WebDev2018-04-19 11:33:37
Information Security
WebDev, 2018-04-19 11:33:37

Is such authorization secure?

Hello. There is a large project that has several children and mobile applications.
The subsites are SPAs on vue.js, each with their own cordova mobile app. For convenience, the code for each site and the application code for that site is the same. In fact, a mobile application is just a mobile version of the site, which is wrapped in cordova and can access the phone's API.
There is a need for a single authorization through third-party services, which is more than 10. Some of these services provide different domains for authorization (for example, via Facebook), while others can use only one domain. In addition, there is no domain in mobile applications.
The domain structure is something like this:
base.domain.com- the main and main domain on which the admin panel is located and to which a redirect from social networks is configured during authorization.
domain1.com, domain2.com, domain3.com - SPA sites that pull data via Ajax from base.domain.com (plus three mobile applications)
To unify all this, I decided to do authorization as follows:
Using facebook as an example. From any of the child sites, the person is sent to facebook (or any other third-party service for authorization) to the authorization window, and after authorization, he is transferred to base.domain.com. There I get all the data, authorize the person, write some hash to the database and redirect to base.domain.com?token=xxxxxx, where token is the hash that I save on the child site with localstorage and use it to make requests as an authorized user.
Thus, I was able to use the same authorization scheme for all six applications without having different accounts on social networks and without using different authorization methods.
What are the disadvantages of my method?
I myself only see that the token is transmitted in cleartext, I see two solutions:
1) Pass it in the body, that is, redirect, for example, to base.domain.com/success, and already display the hash itself on the screen. (I tried this way, there were some difficulties with getting the content of the page in the mobile application).
2) After the hash is received by the child site or application, it must be "activated" by sending a post request to the server, after which this hash will become invalid, and the application will receive an already configured hash for authorization.
Sorry it's long, I wanted to explain everything in detail. Thank you!

Answer the question

In order to leave comments, you need to log in

1 answer(s)
X
xmoonlight, 2019-07-23
@xmoonlight

... and redirect to base.domain.com?token=xxxxxx, where token is a hash that I store on the child site with localstorage and use it to make requests as an authorized user.
This is where the token (hash) of the authorized user was caught.
Why pass the hash in the URI if the client already has it (in localstorage or in the application)?
Sign a request to any of your services with a client token (i.e. an authorized user). ( the token itself - never transfer over the network ).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question