Open p0lyn0mial opened 5 years ago
@kubermatic/ui-team this issue is over a year old, is it still relevant?
Quite relevant. This requires some backend changes though.
This is still relevant and important for our customers.
Tracked as part of https://support.kubermatic.com/a/tickets/6068?current_tab=details support ticket.
Note: Issues relating to this epic are managed via ZenHub.
At the moment the dashboard uses OAuth Implicit Grant flow for login. This is bad for at least two reasons. Firstly Implicit flow is not considered secure, mainly because the ID token is returned in URL. Secondly its lifetime is usually short, it’s one day in our case and requires users to constantly log in into the app.
To solve the mentioned issues we could use Authorization Code, below is simplified diagram depicting interactions between the actors.
User (Browser) <—— ( 1, 4 ) ——> Server < ———— ( 2, 3) ———> OIDC Provider
In step 1 a user sends a request to a server without exposing any credentials like Client ID (Implicit Grant), next the server and the provider exchange a series of requests. At the end the server gets both the ID and Refresh tokens. In Step 4 the tokens are send back to the user.
Tokens are considered confidential and should be stored carefully, therefore: