Thanks for your answer Warren. I do have an authentication layer server which receives my username password and generate an OAuth 2.0 token for further communications. I guess (from my reading of OpenID Connect that what they will do on top of OAuth.
I think my centralised authentication server works fine. It receives requests, generate token and refreshes tokens in their next communication. All works fine. But for a browser to actually hit my authentication server it needs to pass an API Gateway server. This means that not every app or browser can hit my authentication server or even go to my application servers. The first point of hit is an API Gateway that I have written and to be able to pass that to get to Token Generation API on my authentication server I need to have a Shared API key in my header and I need to sign my requests with SHA and private HMAC key. This means that before even doing any token business my AngularJS app should 1- know a logic that what/how to sign its request to server 2- It needs to have a secret HMAC key using to generate a SHA. My problem is that I need to put this in a JS function and eventually push it to the browser to do the very first call to get a token. And I dont know how I can protect and secure that JS function. Maybe I am a bit security freak !!! :-) On Tuesday, 12 May 2015 23:36:16 UTC+1, Warren Strange wrote: > > > This isn't specific to AngularJS - but I would recommend you read up on > OpenID connect and the "implicit" client flows. These flows are used for > "public" clients (like a browser) that can not securely keep secrets. > > The basic idea is that your user will need to be redirected to an OpenID > connect provider which will authenticate the user and then send back a > token (all via SSL) which your client can use in subsequent calls to your > server APIs. > > You can optionally store that token (in for example, HTML 5 storage). > > > > On Tuesday, May 12, 2015 at 9:03:38 AM UTC-6, Vafa Ahmadiyeh wrote: >> >> Hi, >> >> I am fairly new to AngularJS and other JS libraries. >> >> I have written a SPA in HTML5 using AngularJS. >> This client app keeps calling my Server which is a .Net WebApi 2.0 to get >> some information and will change the content based on result. >> Everything works perfect. >> >> Now I am thinking of releasing this app to my Live servers. This app is >> using OAuth 2.0 to have a token to secure communication between my Client >> side SPA and my Server side WebAPI. >> But only a Token is not enough to satisfy our security team. >> My SPA needs to have a API Key to pass my API Gateway and needs to sign >> every request to pass another layer of security before hitting my WebAPI to >> get authenticated against its OAuth token. >> >> Here is my question: >> >> API Key and Signature key needs to be added to my HTTP Request header. >> Same as my token. >> How can I secure creation of API key and Signature in my client side >> AngularJS App? >> API key I guess I don't need to do much. It's a public key and same key >> will go to my HTTP Header every time so I dont bother about that too much. >> But in my JS functions of my AngularJS when I am going to call an API I >> like to use a very secure JS function that uses a private key internally >> and sign the request for me (sign as SHA key or Encrypted I don't mind). >> Whatever I do some smart guy can easily find what is going on in my JS >> functions loaded into browser and they can do the same thing to sign their >> own request to my API. >> How can I secure this? >> > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
