wtcross

wtcross

LiveView security when using 3rd party APIs

I am seeking guidance on security concerns when using 3rd party APIs within a LiveView. Ory Kratos is an API-first identity and user management system. I am using it as part of a project that also involves Phoenix Framework.

Kratos offers the following self-service flows via an API:

This means it’s up to the developer to build the UI if you don’t want to use their reference NodeJS/React application or other reference apps that exist in other languages. I much prefer to make it much more native to my Phoenix application and leverage LiveViews, for example. There are three scenarios documented by Ory for how to implement each of these flows:

The differences in these different flows are mostly around how redirects, csrf tokens, and cookies are or are not used.

If I were implementing this using plugs and regular controllers then the first option, browser flow for server-side apps, would be a great choice. However, I want to use LiveView. My goal is for all interaction with the Kratos API to happen on the server side with an internal-only (private) Kratos deployment. Paired with LiveView’s security model and stateful nature I was thinking the browser flow for client-side apps is actually the safest bet. My question is, what’s stopping me from using the API flows?

The API flows are understandably documented to not be used in web-based applications. LiveView seems unique, though, and I’m looking for guidance from the community on what security guarantees LiveView offers when making third party API calls to a service like Kratos. CSRF, XSS, session hijacking, and other attack vectors are all of concern.

First Post!

wtcross

wtcross

My initial goal was to build user management, authentication, and authorization myself as part of the Phoenix app. In the end this is a side project and I don’t want to spend all the time doing that and possibly not get something right.

For now I have been using the hosted offering by Ory…called Ory Network. This hosted offering basically ties together all the Ory projects (including kratos for identity management and auth). It also has all the UI bits you would need and @znorris has created a great plug, kratos_plug to handle the authentication part. For everything else I just send users over to Ory Network. The kratos_plug will work with a self-hosted Kratos as well.

Having a LiveView enabled integration with these APIs would make the user experience better even with Ory Network. It would also make self-hosting way more attractive.

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement