'Trusted Web Device Client

I have a public web API for a SaaS. We do not have user accounts for the users except for the admin, simply because the users who are using the system are often non-permanent workers or staff.

Instead we have a client/customer number and a PIN which is used to authenticate and setup the browser client. The authenticated JWT is stored in the browser like any other access token and is sent back to the server together with every API request. This works fine, although we do understand that a malicious actor could potentially extract this JWT and use it to illicitly authenticate as well.

Now we want to add two extra layers of security: IP whitelist and trusted devices.

First we have introduced an IP whitelist. This is straight-forward, we simply check the remote IP against a whitelist created by the admin which is bound to the client number.

Now the problem is with the trusted list of devices. For each client number, there should be a way to trust a device for that specific client number. So the client/customer should be able to use the web API only on the devices it has in the office. The ideal scenario would be that the admin can issue a "trusted device" certificate with a digital signature which sign something like "client number+year+client pin". Then the local manager individual needs to import this certificate/secret manually on the device that should be trusted.

Then for each request our web client app (via javascript) also sends this signature with each request in a HTTP header. I understand this could potentially be spoofed as well but together with the IP whitelist we assess and believe it should be secure enough for this application.

The problem is now, how to implement that? As far as I understand:

  • I cannot store such a secret in the browser because it might be cleared.
  • I cannot read the filesystem with javascript. Store the secret in a text file?
  • I cannot access the device certificate store.

How can I manage (import, store and read from javascript) this digital signature/certificate/secret in the client device? The web client can be anything from a iPad and Android phone to a Windows, Linux, iOS desktop. All web calls are done with SSL. We are not running any native app on the client device, only browser.

javascriptsecurityauthenticationbrowserjwt


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application