I am building an intranet web application consisting of an Angular interface and a Node.JS server. The application must use corporate Active Directory for authentication and authorization.
I am considering how best to implement this in a safe way. I plan to use the Active Directory node module for the actual connection with AD for authentication at user login and checking the security of group membership for certain limited actions, etc.
However, I'm not quite sure what is the best way to authorize my backend endpoints. The AD module does not offer any tokens / tickets, although I believe Kerberos is used for the actual authentication process. In other authenticated applications that I developed, I created a jsonwebtoken when a user logs in, and then passed and verified this token in each backend route, is this a good idea for authentication against AD as well?
EDIT: The second part of the question is generated for a separate thread: Server-side JWT token processing guidelines
Also, I have a more general problem regarding what is best for actually checking tokens. Suppose the βsecretβ used to generate the JWT is compromised (in my scenario, many people can have access to the source code of the system, but not to the system itself). Do I correctly believe that a malicious user could then, only with this information, generate a token on behalf of any given user and without any authentication using AD use this token in my API requests? A token is usually generated using jwt.sign(payload, secretOrPrivateKey, options) . Alternatively, suppose that a malicious user can receive the actual token (before its expiration). It seems to me that instead of knowing the username and password of the user, now security comes down to the need to know the username and secret of the JWT. Is this a real concern and what should I do to prevent this?
My best hope so far is to use a server-side session to store information about the current user after logging in, so even if the token is maliciously generated and used when accessing the backend endpoints, it will fail if the user does not actually log out A login authenticated by AD and saved as a result of some information in the session.
I also looked at actual authentication with AD at each API endpoint, but this requires that the AD username / password is sent in every request, which in turn would require that sensitive information be stored in the client session or local storage, which is most likely a bad idea.
So the questions are:
1) Is it possible to combine AD authorization with JWT as a carrier token or what is the preferred way to create a secure backend + interface using AD for authentication?
2) If JWT is a good idea, what is the best way to protect endpoints with JWT? Is using a server side session reasonable?
Interestingly, I found many examples of how best to implement authentication on tokens (in general, or using NodeJS), but many of them seem to be wrong anyway.