wtcross

wtcross

LiveView security when using 3rd party APIs

I am seeking guidance on security concerns when using 3rd party APIs within a LiveView. Ory Kratos is an API-first identity and user management system. I am using it as part of a project that also involves Phoenix Framework.

Kratos offers the following self-service flows via an API:

This means it’s up to the developer to build the UI if you don’t want to use their reference NodeJS/React application or other reference apps that exist in other languages. I much prefer to make it much more native to my Phoenix application and leverage LiveViews, for example. There are three scenarios documented by Ory for how to implement each of these flows:

The differences in these different flows are mostly around how redirects, csrf tokens, and cookies are or are not used.

If I were implementing this using plugs and regular controllers then the first option, browser flow for server-side apps, would be a great choice. However, I want to use LiveView. My goal is for all interaction with the Kratos API to happen on the server side with an internal-only (private) Kratos deployment. Paired with LiveView’s security model and stateful nature I was thinking the browser flow for client-side apps is actually the safest bet. My question is, what’s stopping me from using the API flows?

The API flows are understandably documented to not be used in web-based applications. LiveView seems unique, though, and I’m looking for guidance from the community on what security guarantees LiveView offers when making third party API calls to a service like Kratos. CSRF, XSS, session hijacking, and other attack vectors are all of concern.

First Post!

wtcross

wtcross

My initial goal was to build user management, authentication, and authorization myself as part of the Phoenix app. In the end this is a side project and I don’t want to spend all the time doing that and possibly not get something right.

For now I have been using the hosted offering by Ory…called Ory Network. This hosted offering basically ties together all the Ory projects (including kratos for identity management and auth). It also has all the UI bits you would need and @znorris has created a great plug, kratos_plug to handle the authentication part. For everything else I just send users over to Ory Network. The kratos_plug will work with a self-hosted Kratos as well.

Having a LiveView enabled integration with these APIs would make the user experience better even with Ory Network. It would also make self-hosting way more attractive.

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
Tee
can someone please explain to me how Enum.reduce works with maps
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New

Other popular topics Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 47930 226
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement