Questions tagged [single-page-app]
A single page app (SPA) is a web application using only one HTML page. JavaScript is commonly used to modify the single page, and AJAX to fetch data from the server.
77 questions
2
votes
0
answers
145
views
Issue with Single Sign-On (SSO) Implementation for WPF application with ADFS/MSAL
I'm encountering an issue with the implementation of Single Sign-On (SSO) in our WPF application, and I'd appreciate some guidance or insights from the community.
Here's a breakdown of our setup:
We ...
- 21
1
vote
0
answers
471
views
Content security policy for script-src directive
I have a web app that is built using Vite for the react front-end part and uses .net API backend. The backend also configures a static file service for the prebuild frontend files but otherwise ...
- 121
1
vote
1
answer
2k
views
Secure access and refresh token handling in a SPA
I am trying to figure out how to handle access and refresh tokens securely on the front end in a SPA. After doing a lot of reading, I still have questions/doubts about the proposed solutions I found ...
- 11
1
vote
0
answers
697
views
Session/cookie expire time, match access token or refresh token from AD?
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals ...
- 113
0
votes
1
answer
1k
views
Best practises regarding authentication in SPA/API solutions with SSO
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information ...
- 113
3
votes
2
answers
1k
views
How to implement Double Submit Cookie with Encryption or HMAC
I'm trying to implement the Double Submit Cookie pattern with extra protection using encrypted or signed CSRF tokens. I'm working with a Single Page Application and a stateless API. The purpose of ...
- 131
1
vote
0
answers
267
views
Is getting OAuth2 token safe to fetch client-side and pass to server-side?
I'm integrating my application with external service. My application will exchange data with the external service in context of some user. Data exchange will be done in background on server-side.
User ...
- 111
15
votes
6
answers
7k
views
Preventing users from tampering with input
Let's say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The ...
- 375
3
votes
0
answers
453
views
Auth0 token exchange vs Google Firebase token exchange
I'm researching our options for securing access to a single-page web app and a mobile app. The apps communicate with a REST API which, based on the authenticated user's identity, will return ...
- 131
11
votes
2
answers
21k
views
Is it possible to set an HttpOnly Cookie from one domain to another subdomain
I am pretty sure that the answer to my question is no, but I have been have a hard time finding an answer through official documentation or other posts here. Here is simple use case for some context:
...
- 253
0
votes
0
answers
245
views
Multiple user specific APIs with a single Authentication Server
I’m currently in need of some clarification for an authentication/overall strategy. First I will describe the use case and then the questions that arise for me.
Use Case
I want to have a single docker ...
- 1
1
vote
0
answers
658
views
Implement an SPA with IFrames, but with Single Sign-on
I want to build an SPA with ASP.NET Core (Blazor server side) which some IFrames redirecting to other applications. In this example I have f.e. the SPA, Grafana to show graphs and Node-Red, but there ...
- 141
0
votes
0
answers
378
views
Delegating to multiple auth providers from a single page application
Consider a use-case in which a single page application using an OAuth identity flow has to use one of many possible identity providers, as determined by what user is logged in. More specifically, I ...
- 123
0
votes
1
answer
890
views
CSRF token in SPA login JSON response?
Is it safe to include the CSRF token as part of an HTTPS successful login JSON response in an SPA? If not, is there a better mechanism for sending it which avoids the Double Submit Cookie pattern?
...
- 105
1
vote
0
answers
191
views
SPA Oauth2 and Backchannel (Client)
I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a ...
- 11