Implement stateless authentication with HTML5 audio / video (and plain images), is it possible?











up vote
0
down vote

favorite












We have a REST style API and try to follow the REST principles as close as possible, so of course that includes statelessness as well.



While the most part of our backend is indeed stateless, there is one thing that seems impossible to achieve, and that is dealing with authentication of non API related static resources. I understand that there are means to achieve stateless auth using some token based approaches (e.g. JWT). But that requires setting some headers or transferring credential information in the requests' message body.



This would be no problem when only API requests have to be secured, as we easily can modify XHR or fetch requests accordingly.



But the problem is that we also need to secure static resources like images and audio/video files. For images I could load them via XHR/fetch, though this is already quite cumbersome compared to using a plain image tag.



But as soon as it comes to html5 video/audio, I haven't found a way to achieve this, is it possible at all?



Currently we just use a secured httpOnly cookie, so in that case it is no problem with either images or audio. May using a cookie (having a JWT like payload) generated by the client could be a solution? Of course this would open another potential security issue since now - in case of a XSS breach - the cookie and its information could be stolen which is impossible with a httponly cookie.



Any ideas to achieve a pure stateless authentication that also works for images and html5 audio or video (and that is not less secure as well)?



PS: HTTP Basic Auth is not an option for various reasons.










share|improve this question


























    up vote
    0
    down vote

    favorite












    We have a REST style API and try to follow the REST principles as close as possible, so of course that includes statelessness as well.



    While the most part of our backend is indeed stateless, there is one thing that seems impossible to achieve, and that is dealing with authentication of non API related static resources. I understand that there are means to achieve stateless auth using some token based approaches (e.g. JWT). But that requires setting some headers or transferring credential information in the requests' message body.



    This would be no problem when only API requests have to be secured, as we easily can modify XHR or fetch requests accordingly.



    But the problem is that we also need to secure static resources like images and audio/video files. For images I could load them via XHR/fetch, though this is already quite cumbersome compared to using a plain image tag.



    But as soon as it comes to html5 video/audio, I haven't found a way to achieve this, is it possible at all?



    Currently we just use a secured httpOnly cookie, so in that case it is no problem with either images or audio. May using a cookie (having a JWT like payload) generated by the client could be a solution? Of course this would open another potential security issue since now - in case of a XSS breach - the cookie and its information could be stolen which is impossible with a httponly cookie.



    Any ideas to achieve a pure stateless authentication that also works for images and html5 audio or video (and that is not less secure as well)?



    PS: HTTP Basic Auth is not an option for various reasons.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      We have a REST style API and try to follow the REST principles as close as possible, so of course that includes statelessness as well.



      While the most part of our backend is indeed stateless, there is one thing that seems impossible to achieve, and that is dealing with authentication of non API related static resources. I understand that there are means to achieve stateless auth using some token based approaches (e.g. JWT). But that requires setting some headers or transferring credential information in the requests' message body.



      This would be no problem when only API requests have to be secured, as we easily can modify XHR or fetch requests accordingly.



      But the problem is that we also need to secure static resources like images and audio/video files. For images I could load them via XHR/fetch, though this is already quite cumbersome compared to using a plain image tag.



      But as soon as it comes to html5 video/audio, I haven't found a way to achieve this, is it possible at all?



      Currently we just use a secured httpOnly cookie, so in that case it is no problem with either images or audio. May using a cookie (having a JWT like payload) generated by the client could be a solution? Of course this would open another potential security issue since now - in case of a XSS breach - the cookie and its information could be stolen which is impossible with a httponly cookie.



      Any ideas to achieve a pure stateless authentication that also works for images and html5 audio or video (and that is not less secure as well)?



      PS: HTTP Basic Auth is not an option for various reasons.










      share|improve this question













      We have a REST style API and try to follow the REST principles as close as possible, so of course that includes statelessness as well.



      While the most part of our backend is indeed stateless, there is one thing that seems impossible to achieve, and that is dealing with authentication of non API related static resources. I understand that there are means to achieve stateless auth using some token based approaches (e.g. JWT). But that requires setting some headers or transferring credential information in the requests' message body.



      This would be no problem when only API requests have to be secured, as we easily can modify XHR or fetch requests accordingly.



      But the problem is that we also need to secure static resources like images and audio/video files. For images I could load them via XHR/fetch, though this is already quite cumbersome compared to using a plain image tag.



      But as soon as it comes to html5 video/audio, I haven't found a way to achieve this, is it possible at all?



      Currently we just use a secured httpOnly cookie, so in that case it is no problem with either images or audio. May using a cookie (having a JWT like payload) generated by the client could be a solution? Of course this would open another potential security issue since now - in case of a XSS breach - the cookie and its information could be stolen which is impossible with a httponly cookie.



      Any ideas to achieve a pure stateless authentication that also works for images and html5 audio or video (and that is not less secure as well)?



      PS: HTTP Basic Auth is not an option for various reasons.







      rest authentication html5-video state html5-audio






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 8 at 22:36









      frontend_dev

      1,2111020




      1,2111020
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          No ideas? Hmmm. OK so maybe I can answer my own question ...



          A potential solution would be to use something like a JWT, but still use a
          cookie as the transport mechanism. So the token is generated on the
          server, and set via cookie, just like it has been before with the traditional session cookie. Seems like I could have the "best of both
          worlds" with this approach:




          • The client still has no means to access the contents of the cookie,
            and therefore does not need to know anything about authorisation. The only thing the client has
            to know is the concept of authentication, i.e. asking the user for the
            credentials and sending them to the server as soon as a 401 is
            returned.


          • The server is now freed of doing any session management, all it has to do
            is validating the token.


          • And, most importantly: this will work not only for requests where I can manipulate the header and/or message body (like with XHR/fetch) but for any type of static resource as well, including images and html5 audio & video



          Does this sound like a good solution? Vote up this answer if you think it is! Thank you.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53217197%2fimplement-stateless-authentication-with-html5-audio-video-and-plain-images%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            No ideas? Hmmm. OK so maybe I can answer my own question ...



            A potential solution would be to use something like a JWT, but still use a
            cookie as the transport mechanism. So the token is generated on the
            server, and set via cookie, just like it has been before with the traditional session cookie. Seems like I could have the "best of both
            worlds" with this approach:




            • The client still has no means to access the contents of the cookie,
              and therefore does not need to know anything about authorisation. The only thing the client has
              to know is the concept of authentication, i.e. asking the user for the
              credentials and sending them to the server as soon as a 401 is
              returned.


            • The server is now freed of doing any session management, all it has to do
              is validating the token.


            • And, most importantly: this will work not only for requests where I can manipulate the header and/or message body (like with XHR/fetch) but for any type of static resource as well, including images and html5 audio & video



            Does this sound like a good solution? Vote up this answer if you think it is! Thank you.






            share|improve this answer



























              up vote
              0
              down vote













              No ideas? Hmmm. OK so maybe I can answer my own question ...



              A potential solution would be to use something like a JWT, but still use a
              cookie as the transport mechanism. So the token is generated on the
              server, and set via cookie, just like it has been before with the traditional session cookie. Seems like I could have the "best of both
              worlds" with this approach:




              • The client still has no means to access the contents of the cookie,
                and therefore does not need to know anything about authorisation. The only thing the client has
                to know is the concept of authentication, i.e. asking the user for the
                credentials and sending them to the server as soon as a 401 is
                returned.


              • The server is now freed of doing any session management, all it has to do
                is validating the token.


              • And, most importantly: this will work not only for requests where I can manipulate the header and/or message body (like with XHR/fetch) but for any type of static resource as well, including images and html5 audio & video



              Does this sound like a good solution? Vote up this answer if you think it is! Thank you.






              share|improve this answer

























                up vote
                0
                down vote










                up vote
                0
                down vote









                No ideas? Hmmm. OK so maybe I can answer my own question ...



                A potential solution would be to use something like a JWT, but still use a
                cookie as the transport mechanism. So the token is generated on the
                server, and set via cookie, just like it has been before with the traditional session cookie. Seems like I could have the "best of both
                worlds" with this approach:




                • The client still has no means to access the contents of the cookie,
                  and therefore does not need to know anything about authorisation. The only thing the client has
                  to know is the concept of authentication, i.e. asking the user for the
                  credentials and sending them to the server as soon as a 401 is
                  returned.


                • The server is now freed of doing any session management, all it has to do
                  is validating the token.


                • And, most importantly: this will work not only for requests where I can manipulate the header and/or message body (like with XHR/fetch) but for any type of static resource as well, including images and html5 audio & video



                Does this sound like a good solution? Vote up this answer if you think it is! Thank you.






                share|improve this answer














                No ideas? Hmmm. OK so maybe I can answer my own question ...



                A potential solution would be to use something like a JWT, but still use a
                cookie as the transport mechanism. So the token is generated on the
                server, and set via cookie, just like it has been before with the traditional session cookie. Seems like I could have the "best of both
                worlds" with this approach:




                • The client still has no means to access the contents of the cookie,
                  and therefore does not need to know anything about authorisation. The only thing the client has
                  to know is the concept of authentication, i.e. asking the user for the
                  credentials and sending them to the server as soon as a 401 is
                  returned.


                • The server is now freed of doing any session management, all it has to do
                  is validating the token.


                • And, most importantly: this will work not only for requests where I can manipulate the header and/or message body (like with XHR/fetch) but for any type of static resource as well, including images and html5 audio & video



                Does this sound like a good solution? Vote up this answer if you think it is! Thank you.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 9 at 21:44

























                answered Nov 9 at 17:26









                frontend_dev

                1,2111020




                1,2111020






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53217197%2fimplement-stateless-authentication-with-html5-audio-video-and-plain-images%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Landwehr

                    Reims

                    Custom delete method in JpaRepository