I am experimenting with third party login, using Twitter and Facebook.
After getting access token from these parties, and confirming its validity, I then issue my own JWT token thats used within my application cluster. Only thing I use the 3rd party token for is getting an email address and user id, I don’t interact with the social network in any other way,except for revalidation.Basically its just so that users dont have to fill in new password.
I have several services, each on different subdomain. These services somewhat adhere to philosophy of microservices, and each is responsible for narrow scope of functionality (e.g. UAC, bussines entity repo etc. )
The sole purpose of the JWT token is to decrease auth check complexity among the other services, which shouldn’t be Oauth provider aware. I also dont want to identify which provider they chose in the publicly visible JWT.
I installed third party (offically approved) SDK on the UAC microservice, with which I’m interacting through AJAX request.
Flow i’m worried about is something like this:
- Request URL from UAC module via AJAX (in turn request the same through SDK)
- Redirect to obtained URL, user authorizes my app
- Redirect back to callback uri (on presentation layer, the root url )
- Via http request (presentation layer – server side) forward access token to UAC module with csrf token
- Manually set csrf token in session so it checks out
- Validate access token through SDK and issue my own JWT
This violates CSRF layer. I bypassed this with manually setting the csrf token on the UAC side, and successfully gaining long lived access token from FB.
That way I can issue my own JWT and be done with it.
I am although worried that this practice (even though under HTTPS) is creating a vulnerability.
In simplest terms: I want to achieve the same functionallity as regular Oauth with these providers, but I need to split the process among two subdomains. Neither of these should have PHP session if possible.