Request
authentication methods
COOKIE
OAuth Token (on front) -cons
security policy enforcement is hard to impl.
Logout some / all sessions
Requires CSRF for POSTs (hidden field or cookie)
Web crypto API
msgs are signed with a public key
click to edit
Redirects are not supported as
token is held in memory
Problem with previous auth session in hydra. Logging out requires IDToken
Problem with having a planned session expiry, say it, expire within 1h of inactivity, we dont control OAuth token expiration
IP-address tracking based
JWT
Any desired custom attribute can be added to token
We can control expiration as needed
We can "remember" previous sessions and let user to choose
distribution of public keys is needed
User can selectively log out any session / on any device
Remarks
- Login form needs to be protected by CSRF in any way
- For REST apps CSRF can be generated once -- on logging in
click to edit
click to edit