Open in app

Sign in

Write

Sign in

Better Programming

Advice for programmers.

Follow publication

Member-only story

How To Securely Implement Authentication in Single Page Applications

Dennis Stötzel
Better Programming
Published in
15 min readDec 17, 2019

Macbook on a desk in a coffee shop with a glas of orange juice.
Photo by Jantine Doornbos on Unsplash

In this piece, I will focus on authentication in single page applications. What’s the correct flow to use with OAuth and OpenID Connect (OIDC) and where are the security pitfalls when implementing it? After reading this piece you should be able to design the login for your new application correctly and know whether your current application is using OAuth/OIDC securely.

Please note: What’s correct for single-page applications is not necessarily true for other forms of applications like mobile applications or classic web applications (old school, boo!). Some concepts described here still hold for these types of applications, others might be wrong or even insecure. So, please be careful and always make sure you apply the right concepts to the right applications.

This will be the first in a series on this topic. Here, I would like to lay the foundations for understanding the necessary parts of OAuth and OIDC and outline the security considerations that lead to certain architectural decisions. In subsequent pieces, I will implement examples with different authorization server providers and discuss the differences between them.

Single Page Applications

Single page applications usually pack all their business logic in a JavaScript front end part written in React, Vue.js, Angular, or similar and load the necessary data from a back end API. In order to protect the back end data from unauthorized access, these applications require the user to authenticate via a separate authorization server and obtain a token after successfully logging in. This token can then be used when calling the back end where the API can verify the validity of the token and therefore the authenticity of the calling user.

Basic setup for single page applications with a user connecting to an Auth Server, a Frontend and a Backend on separate hosts
Basic setup for single page applications

The authorization server can either be completely self-developed or self-hosted using an existing 3rd party solution like Keycloak. A third alternative would be using an authentication-as-a-service provider…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

Better Programming
Better Programming

Published in Better Programming

221K Followers
Last published Nov 10, 2023

Advice for programmers.

Dennis Stötzel
Dennis Stötzel

Written by Dennis Stötzel

170 Followers
101 Following

Security consultant, penetration tester & developer 👻 diver & traveler 🌴 nerd & blogging n00b

Responses (10)

Write a response

What are your thoughts?

Rich Ellis

Jan 27, 2020

Really helpful article, thank you.
Question… You wrote: “If the authentication was successful, the authorization server will post a web message to the parent window containing the authorization code.” The way I understand it, the response within the…

2

Ruben

Oct 13, 2020

Great article! I was wondering if you had any ideas about an SPA in multiple tabs. Would the silent refresh method work for a second tab too, or would the tabs invalidate each other’s tokens?

6

Wehaanow

Jan 11, 2021

Really great. You have any code demo? or git hub?

More from Dennis Stötzel and Better Programming

See all from Dennis Stötzel
See all from Better Programming

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech