JWT based authentication for web app and native android app
Question
I've a back-end server implementing JWT based authentication for REST APIs. While the front-end webapp is developed in angular js and I am planning to store JWT in HTTPOnly cookie ( with CSRF protection ). These REST APIs are also being accessed by a native android app. However, it looks like native android app can not set cookies. I would like to avoid storing JWT in browser local storage.
Is there a common and secure way to implement JWT based authentication for a REST APIs which works for for both a web app and a native android mobile app?
Earlier I thought of using USER-AGENT to distinguish between webapp and mobile app and implement two different auth mechanism.
1 answers
solution1
0 2019-08-14 18:36:37
If you do as the protocol (OAuth 2.0), you only send the token to the user using a fragment, a query string or a form post (depending on the client preference) not a cookie! How they store the token is up to them. Once you send something to a public client there is nowhere safe to save anything. you better put the token in local storage or session storage rather than cookies which may lead to CSRF attacks. Access_Token is short-lived and its leakage should not be harmful.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.