scholarly journals Managing a Secure Refresh Token Implementation with JSON Web Token in REST API

2021 ◽  
pp. 01-20
Author(s):  
Ehab .. ◽  
◽  
◽  
◽  
Walid .. ◽  
...  
Keyword(s):  
Security Measures ◽  
Size Limit ◽  
Server Side ◽  
Front End ◽  
Side Component ◽  
Authentication And Authorization ◽  
Security Properties ◽  
Rest Api ◽  
Client Side ◽  
The Web

JSON Web Token (JWT) is a compact and self-contained mechanism, digitally authenticated and trusted, for transmitting data between various parties. They are mainly used for implementing stateless authentication mechanisms. The Open Authorization (OAuth 2.0) implementations are using JWTs for their access tokens. OAuth 2.0 and JWT are used token frameworks or standards for authorizing access to REST APIs because of their statelessness and signature implementation and JWT tokens are based on JSON and used in new authentication and authorization protocols in OAuth 2.0 because of their small size. When refresh tokens are stored in cookies, the size limit of a cookie or URL may be quickly exceeded. There may be refresh tokens for accessing users and getting the refresh token is a bit more complicated and refresh tokens in the browser require additional security measures and the attacker steals a refresh token and attempts to use it after the application has already used it. This implies that the attacker was able to steal a refresh token from the application. If the refresh token can be stolen, then so can the access token, even short token lifetimes can still lead to major abuse scenarios. In this article, we discuss the security properties of refresh tokens in the browser and the pattern to secure JWT tokens in the web front-end better. We propose a Backend for Frontend (BFF) pattern, where the token handling is deferred to the server-side component to a secure token that provides a lot of flexibility to the client-side.

scholarly journals Development Authentication and Authorization Systems of Multi Information Systems Based REst API and Auth Token

2020 ◽  
Vol 1 (2) ◽  
pp. 127
Author(s):  
Indra Gita Anugrah ◽  
Muhamad Aldi Rifai Imam Fakhruddin
Keyword(s):  
System Integration ◽  
Web Browser ◽  
Single Sign On ◽  
Server Side ◽  
Secure Data ◽  
Authentication And Authorization ◽  
Information System Integration ◽  
Rest Api ◽  
Client Side

The security of an application is the most important problem in an information system integration process. The authentication and authorization process is usually carried out using Single Sign On (SSO). Authentication and authorization methods are used to secure data in a system. The authentication and authorization processes are carried out on the client side (web browser) in the form of a session and on the server side (web server) in the form of cookies. Sessions and cookies are valuable assets in the authentication and authorization process because they contain the data required for the login process so that the session and cookies need to be secured. Session is a combination of username and password data that has been encrypted while cookies store login information data so that they are still in a state of gaining access according to the privileges given to the user. So important is the role of sessions and cookies in the authentication and authorization process, so we need a way to secure data on sessions and cookies. One way to secure data is to use the REst API and Auth Token.

scholarly journals Prosedur efektif pengembangan aplikasi basis data

2019 ◽  
Vol 2 (1) ◽  
Author(s):  
Zulkarnaen Hatala
Keyword(s):  
Web Application ◽  
Specific Requirement ◽  
Application System ◽  
Web Based ◽  
Database Application ◽  
Server Side ◽  
The Right ◽  
Client Side ◽  
The Web

Abstract—Efficient and quick procedure to build a web application is presented. The steps are intended to build a database application system with hundreds of tables. The procedure can minimize tasks needed to write code and doing manual programming line by line. The intention also to build rapidly web-based database application. In this method security concerning authentification and authorization already built in ensuring the right and eligible access of the user to the system. The end result is ready to use the web-based 3-tier application. Moreover, the application is still flexible to be customized and to be enhanced to suit more specific requirement in part of each module of the software both the server-side and client-side programming codes. Abstrak—Pada penelitian kali ini diusulkan prosedur cepat dan efisien pengembangan aplikasi basis data menggunakan generator aplikasi. Bertujuan untuk meminimalisir penulisan bahasa pemograman. Keuntungan dari prosedur ini adalah bisa digunakan untuk mengembangkan aplikasi basis data secara cepat terutama dengan sistem basis data yang terdiri dari banyak tabel. Hak akses dan prosedur keamanan standar telah disediakan sehingga setiap user terjamin haknya terhadap entitas tertentu di basis data. Hasil generasi adalah aplikasi basis data berbasis web yang siap pakai. Sistem aplikasi yang terbentuk masih sangat lentur untuk untuk dilakukan penyesuaian setiap komponen aplikasi baik di sisi server maupun di sisi client.

PAKE on the Web

2011 ◽  
pp. 337-350
Author(s):  
Xunhua Wang ◽  
Hua Lin
Keyword(s):  
Web Sites ◽  
Web Applications ◽  
Identity Management ◽  
Mutual Authentication ◽  
Specific Information ◽  
Mobile Code ◽  
Web Browser ◽  
Server Side ◽  
Client Side ◽  
The Web

Unlike existing password authentication mechanisms on the web that use passwords for client-side authentication only, password-authenticated key exchange (PAKE) protocols provide mutual authentication. In this article, we present an architecture to integrate existing PAKE protocols to the web. Our integration design consists of the client-side part and the server-side part. First, we implement the PAKE client-side functionality with a web browser plug-in, which provides a secure implementation base. The plug-in has a log-in window that can be customized by a user when the plug-in is installed. By checking the user-specific information in a log-in window, an ordinary user can easily detect a fake log-in window created by mobile code. The server-side integration comprises a web interface and a PAKE server. After a successful PAKE mutual authentication, the PAKE plug-in receives a one-time ticket and passes it to the web browser. The web browser authenticates itself by presenting this ticket over HTTPS to the web server. The plug-in then fades away and subsequent web browsing remains the same as usual, requiring no extra user education. Our integration design supports centralized log-ins for web applications from different web sites, making it appropriate for digital identity management. A prototype is developed to validate our design. Since PAKE protocols use passwords for mutual authentication, we believe that the deployment of this design will significantly mitigate the risk of phishing attacks.

Server-Side Technologies

2011 ◽  
pp. 213-221
Author(s):  
John DiMarco
Keyword(s):  
Database Management ◽  
Large Scale ◽  
Server Side ◽  
Good Point ◽  
The Future ◽  
Client Side ◽  
The Web

When this book went out for review, one of the reviewers was insightful enough to recommend that I include some information on server-side technologies. As I thought about the scholar’s comments, I came to a few conclusions about the importance of server-side technologies and their use within the Web portfolio. For the most part, you can create a simple Web portfolio by using only client-side tools. Client-side tools and technologies include Macromedia Dreamweaver, Adobe audition, Macromedia Fireworks, HTML, and JavaScript. But the reviewer made a good point in stating that ignoring server-side technologies seemed inappropriate. With this in mind, and with the help and research and writing contributions of my colleague and friend David Power, we provide a basic overview of PHP, ASP, ASP.net, CGI & Perl, and ColdFusion. These backend technologies have database driven components which may or may not be needed in today’s Web portfolio. But as content grows in quantity, quality, and resolution, they need for large-scale database management even on personal Web portfolio levels becomes more evident. In the future, the integration of server-side technologies will surely become a large part of personal Web portfolio activities.

scholarly journals Comparison between client-side and server-side rendering in the web development

2020 ◽  
Vol 801 ◽  
pp. 012136
Author(s):  
Taufan Fadhilah Iskandar ◽  
Muharman Lubis ◽  
Tien Fabrianti Kusumasari ◽  
Arif Ridho Lubis
Keyword(s):  
Web Development ◽  
Server Side ◽  
Client Side ◽  
The Web

scholarly journals Design of Online-Based Tourism Ticket Purchase System

2021 ◽  
Vol 3 (2) ◽  
pp. 59-71
Author(s):  
Salsabila Safira Azalea
Keyword(s):  
Information System ◽  
Programming Language ◽  
Technology Development ◽  
The Internet ◽  
Server Side ◽  
Tourism Promotion ◽  
Client Side ◽  
Ticket Purchase ◽  
The Military ◽  
The Web

In this day and age, technology development is very rapid, especially the development of the internet which greatly facilitates human work in various fields such as the military, offices, factories, medical, and entertainment. Entertainment is something that is very much needed for some people because of the density of activities, for many recreational places have started to use all their activities through the web, one of which is in terms of promotions and ticket purchases. Here the author makes a system where ticket purchases can be made via the web. Starting from designing the existing displays by coding with the programming language that has been determined, for client-side namely HTML, CSS (Bootstrap), and JavaScript as well as server-side using PHP and MySQL. After that, it is implemented using a computer. This writing aims to build a ticket purchase information system and tourism promotion that is simple and easy to use.

scholarly journals Designing RESTful API for the e-procurement system in private sector

2021 ◽  
pp. 003-015
Author(s):  
А.Yu. Doroshenko ◽  
◽  
B.V. Bodak ◽  
Keyword(s):  
Data Repository ◽  
Business Logic ◽  
Server Side ◽  
Finite State ◽  
Open Standard ◽  
Authentication And Authorization ◽  
Procurement System ◽  
Cache Mechanism ◽  
Distributed Cache ◽  
Client Side

The software for the e-procurement system was developed based on .NET Core RESTful API with Open API specifications. The server side uses RESTful API which ensures compatibility with the ma-jority of clients and enables them to exchange information in JSON format. The authentication and authorization flow was implemented using OAuth open standard paired with Microsoft Identity Service. User roles and functionality were handled with a standalone service for authentication and registration that made our system efficient and scalable. Business logic was designed to be split into micro-services accessible through rout-ing controllers. This approach allowed us to separate the responsibilities between the server and the client side. Special authorization headers passed during modi-fication queries allowed us to control and restrict access to particular resources for unauthorized users. The distributed cache mechanism inside the data repository level was used in order to increase the responsiveness of the system. The state handling subsystem was designed utilizing Finite State Machine concepts. The developed system was verified using unit and integration tests.

PAKE on the Web

2009 ◽  
Vol 3 (4) ◽  
pp. 29-42 ◽  
Author(s):  
Xunhua Wang ◽  
Hua Lin
Keyword(s):  
Web Sites ◽  
Web Applications ◽  
Identity Management ◽  
Mutual Authentication ◽  
Specific Information ◽  
Mobile Code ◽  
Web Browser ◽  
Server Side ◽  
Client Side ◽  
The Web

Unlike existing password authentication mechanisms on the web that use passwords for client-side authentication only, password-authenticated key exchange (PAKE) protocols provide mutual authentication. In this article, we present an architecture to integrate existing PAKE protocols to the web. Our integration design consists of the client-side part and the server-side part. First, we implement the PAKE client-side functionality with a web browser plug-in, which provides a secure implementation base. The plug-in has a log-in window that can be customized by a user when the plug-in is installed. By checking the user-specific information in a log-in window, an ordinary user can easily detect a fake log-in window created by mobile code. The server-side integration comprises a web interface and a PAKE server. After a successful PAKE mutual authentication, the PAKE plug-in receives a one-time ticket and passes it to the web browser. The web browser authenticates itself by presenting this ticket over HTTPS to the web server. The plug-in then fades away and subsequent web browsing remains the same as usual, requiring no extra user education. Our integration design supports centralized log-ins for web applications from different web sites, making it appropriate for digital identity management. A prototype is developed to validate our design. Since PAKE protocols use passwords for mutual authentication, we believe that the deployment of this design will significantly mitigate the risk of phishing attacks.

DYNAMIC REST SERVICES ORCHESTRATION USING THE KNOWLEDGE BASE

2019 ◽  
Author(s):  
Kostyantyn Kharchenko
Keyword(s):  
Knowledge Base ◽  
Service Oriented Architecture ◽  
Main Idea ◽  
The Real ◽  
Server Side ◽  
Service Oriented ◽  
Services Orchestration ◽  
Client Side ◽  
Abstract Operation ◽  
Microservice Architecture

The approach to organizing the automated calculations’ execution process using the web services (in particular, REST-services) is reviewed. The given solution will simplify the procedure of introduction of the new functionality in applied systems built according to the service-oriented architecture and microservice architecture principles. The main idea of the proposed solution is in maximum division of the server-side logic development and the client-side logic, when clients are used to set the abstract computation goals without any dependencies to existing applied services. It is proposed to rely on the centralized scheme to organize the computations (named as orchestration) and to put to the knowledge base the set of rules used to build (in multiple steps) the concrete computational scenario from the abstract goal. It is proposed to include the computing task’s execution subsystem to the software architecture of the applied system. This subsystem is composed of the service which is processing the incoming requests for execution, the service registry and the orchestration service. The clients send requests to the execution subsystem without any references to the real-world services to be called. The service registry searches the knowledge base for the corresponding input request template, then the abstract operation description search for the request template is performed. Each abstract operation may already have its implementation in the form of workflow composed of invocations of the real applied services’ operations. In case of absence of the corresponding workflow in the database, this workflow implementation could be synthesized dynamically according to the input and output data and the functionality description of the abstract operation and registered applied services. The workflows are executed by the orchestrator service. Thus, adding some new functions to the client side can be possible without any changes at the server side. And vice versa, adding new services can impact the execution of the calculations without updating the clients.

Sign in / Sign up

Export Citation Format

Share Document