Token-based authentication (WORK IN PROGRESS) #148
Unanswered
amcgee
asked this question in
Specs & RFCs
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
This is a placeholder for a token-based authentication specification. This requires coordination with the backend team and careful consideration of security implications.
There are several challenges with the current cookie-based authentication system, notably among them the imminent switch to default
SameSite: Laxcookie security in Chrome and Firefox browsers. This change will prevent our authentication cookies from being included in cross-site requests. While this is not an issue for same-site application hosting (the default in DHIS2), it does break existing developer workflows (localhost:3000talking todebug.dhis2.org, for instance) as well as (importantly) external applications like public-facing dashboards which might want to fetch data from the DHIS2 API. There is a larger discussion around public data access and security to be had there as well.We currently support
CORSrequest filtering, but this feature becomes useless when cross-site cookies are disabled. At minimum we should de-duplicate those security gates.OAuth is currently supported, though we should test its feasibility, but this requires each application to have a registered server component.
Beta Was this translation helpful? Give feedback.
All reactions