Web security in 2021 is challenging!

What do I mean by such statement?
First of all ask yourself how do you implement or control the authentication and authorization in your project/s?
How you audit and or make sure that identity security providers , really secure theirs stuff?

Think about those questions for 5 minutes……

Done ? Good!

Let me explain my thinking pattern about it:

so a typical JavaScript based SPA (single page application) there no default out of the box solution which would give you a quick answer for a authentication and authorization problem. 

In particularity Angular, Vue and React don’t recommend you to use any particular implementation or framework for solving security requirements.

It’s all depends on OAuth2 security protocol!

I think as developer or whoever responsible for security it is a major obligation to think about how to protect sensible user data and in the past it was achieved thought SSL and cookies, SQL database and backend session management. 

Many web developer don’t consider such solution as good and proper for modern web SPA and they prefer to use JWT  (JSON WEB TOKEN) and some sort of cloud and «secure» entity provider.

The most famous are:

Okta 

auth0 

openID open standard which hosted and provided by different cloud providers

Sound easy enough, but wait a second, think about dependency!

OAuth2 in the nutshell: is a security protocol which ask user for key and get it and if all ok , then in return you get a security token, by which later you as user authorized to enter the SPA and do some stuff on it.
There would be some restrictions areas of SPA to which you as user shouldn’t be allowed.

Sounds really great! Secure and pretty complicated in the implementation!
Consider what the external security identity providers can really do for you: Okta and Auth0 are not OpenSource and if you use them commercially or for free you need somehow able to audit those security protocol before going into production with full implementation, because once decided , then later  it would be very, very, difficult to change.
In java script community some folks prefer to use Facebook , Google and even Apple for authentication and authorization purposes and opensource http://www.passportjs.org/ help to do exactly that.

For me as independent consultant and a company, we strongly believe that client’s needs must be met with high quality and certainly having a solution with only one secure entity provider is not satisfactory and not long term applicable (entity security provider companies not always able to keep up one and the same quality for very long time, it just a nature of things!)

For my project I decided to use an opensource entity provider Gluu Server https://gluu.org , which can be used as commercial and as free solution and hosted almost everywhere!
For my project Job manager 2020 https://github.com/orlovskyjavaprofi/jobmanager2020AngularVersion ,   this is very suitable solution, because then I can run it all with very small cost, but with high quality and high security. When I think about web security, there is no silver bullet, we as users should know how good our data is protected and what kind of security measures companies use.

In general as user you don’t think about, but in enterprises were lots of sensitive data, which must be protected this concern and my company always looking for suitable solutions and iterate on the best known industry practices.
Stay tuned, because next week I would write about my Gluu Server integration experience, how really it compatible with latest Angular App and what to think about!

Recommended websites for more information about web security with Oauth2 and Angular:

https://bit.ly/3pUXWJz
https://bit.ly/2ZVHRbX
https://bit.ly/3kpAtPA
https://bit.ly/3bF4qqZ
https://bit.ly/3aWuazM
https://bit.ly/3bLD2aG
https://bit.ly/2ZQ9bsa
https://bit.ly/3q65jhD
https://bit.ly/3qSF2V3

Recommended literature for getting an idea what actual challenge in Websecurity:
Solving Identity Management In Modern Applications Demystifying OAuth 2.0
Securing the Perimeter Deploying Identity and Access Management with Free Open Source Software by Michael Schwartz
Oauth2 in Action