Using JWT with Active Directory authentication in NodeJS backend

后端 未结 1 1506
隐瞒了意图╮
隐瞒了意图╮ 2021-02-04 09:31

I am building an intranet web application consisting of an Angular frontend and a Node.JS backend. The application needs to use the corporate Active Directory for authentication

1条回答
  •  予麋鹿
    予麋鹿 (楼主)
    2021-02-04 10:08

    1) Is it reasonable to combine AD authorization with JWT as bearer token or what is the preferred way to build a secure backend + frontend utilizing AD for authentication?

    It is reasonable, but if you are already using Kerberos and AD to initially authenticate the user, you might consider using s4u2proxy constrained delegation which allows the service to present the user's service ticket to the KDC and acquire (subject to authorisation checks) a ticket for a backend service (and repeat for as many services are necessary).

    If you have a lot of backend services that need to be contacted, a single JWT bearing all the authorization claims needed for all the services to enforce authorization policy may be a better option.

    2) If JWT is a good idea, what is the best practice for securing endpoints using JWT? Is using a server side session reasonable?

    General key security practices apply:

    • Never store keys in the clear in non-volatile storage, anywhere.
    • Ideally do not store encrypted keys in attached storage on the server where, if the server is compromised, they would be subject to offline attack. Make them available to the host only at server startup.
    • Ensure key material resides in secure memory so that it cannot be swapped to disk (and/or use encrypted swap).
    • Use public key algorithms so that no secret key need exist on multiple hosts.
    • Consider using a hardware security module (HSM).

    0 讨论(0)
提交回复
热议问题