I would like to use a self-hosted OpenID Connect (OIDC) server in a combination with JWT as an authorization token (access token in OIDC terms). JWT would be used to protect REST services while the UI are a mix of classical and single-page applications (Angular). This way, the REST layer would be able to do the authorization based on a stateless JWT token so no extra DB connections are necessary, as described here:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
For a single page app, OIDC Implicit Flow is appropriate. However, I see a security problem when Implicit Flow is used in combination with stateless JWT tokens: Tokens are delivered as a fragment part in the URL which means there is no way to remove them (they are easily available in the browser history) nor invalidate them (they are stateless) -> no logout possible.
I see 2 options to mitigate this:
- Use a very short-lived tokens (max up to several minutes). This may dramatically hinder usability.
- Use an authorization code flow by the means of AJAX. This is not OIDC-compliant but would make a logout possible as tokens would not be exposed in the URL.
The third option would be to give up stateless JWT tokens and use simple bearer tokens with DB checks.
Do I miss something? What would you choose?
