Hi Chamindu, If we do use the opaque oauth token value as the cookie, then why do we need it to be one of the values provided during the server start up. The client should be able to get any token using /token endpoint and save it as a cookie in their SPA and MGW should be able to validate the oauth token by contacting KM (or etc) when ever its receives request from SPA with cookie header.
Thanks! Rajith On Tue, Jan 15, 2019 at 3:58 PM Ishara Cooray <[email protected]> wrote: > Hi Chamindu, > Thanks for the clarification. > > 1. If the both headers are provided priority is given to "Authorization" > header. Therefore it will go through path that specified for > "Authorization" header. > If some one needs both validations is it possible to achieve? > > 2. Yes. Basically the cookie sessionID is an Oauth2 token which contains > expiry time. > 3. No. From the given cookies if none of them are not valid then > authentication will be failed. > In that case how do we renew the cookie? > > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > > On Fri, Jan 11, 2019 at 10:46 AM Ishara Cooray <[email protected]> wrote: > >> Hi Chamindu, >> Couple of questions came to my mind is >> >> 1. What will be the case if both headers are provided? Are we doing both >> validations? >> 2. Do we have a expiry time for this cookie. >> 3.In the case of invalid cookie how can one obtain a new valid cookie? >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> >> On Fri, Jan 4, 2019 at 5:04 PM Chamindu Udakara <[email protected]> >> wrote: >> >>> Hi All, >>> >>> My project is to add cookie based authentication for micro-gateway. This >>> is the approach that I have come up with. Please review and let me know >>> what you think and please be kind enough to suggest your suggestions. >>> >>> Requirement >>> >>> Provide authentication for product micro-gateway with cookie based >>> authentication which uses session HTTP cookies for authentication. >>> >>> Suggested Approach >>> >>> When an user invoke an API with a cookie, micro-gateway has to validate >>> that cookie prior to the response. The list of cookies included in the HTTP >>> request which use to authenticate, have to be extracted from the request. >>> From all extracted cookies,their respective session ID value has to be >>> extracted properly. >>> >>> The Authn filter will check incoming request to micro-gateway and >>> determine whether it contains header as "Authorization" or header as >>> "Cookie". If header is equals to "Cookie" then the cookie validation >>> process will be executed and cookie will be validated. If not it will >>> execute as a normal request which contains header as "Authorization". The >>> session ID of the required cookie can be provided to server as a direct key >>> value pair at the micro-gateway server startup. >>> >>> >>> >>> >>> >>> >>> if (request.hasHeader(authHeaderName)) { >>> >>> authHeader = request.getHeader(authHeaderName); >>> >>> }else if (request.hasHeader(COOKIE_HEADER)){ >>> >>> //Authentiction with HTTP cookies >>> >>> CookieBasedAuth cookieBasedAuth = new CookieBasedAuth (); >>> >>> result = cookieBasedAuth.processRequest(listener, >>> request, context); >>> >>> }else { >>> >>> log:printError("No authorization header was provided"); >>> >>> setErrorMessageToFilterContext(context, >>> API_AUTH_MISSING_CREDENTIALS); >>> >>> sendErrorResponse(listener, request, untaint context); >>> >>> return false; >>> >>> } >>> >>> Above code segment will do that identification of header type of the >>> coming request. Then the validation process will be done at the separate >>> file named as* "cookie.bal"*. In this file the extraction of session Id >>> and validation of that Id with given value at the server startup will be >>> done. For that I have implemented a new function as "*ProcessRequest*" >>> which returns a string or an error. If any of the cookies included in >>> request is not equal to given Id then the validation process will be >>> failed. If it fails, then it throws an error and authnFilter will be >>> failed. If any of session Id of a cookie matches with given one then that >>> id will be returned to authnFilter for further execution at authnFilter. >>> >>> public function processRequest(http:Listener listener, http:Request >>> request, http:FilterContext context) >>> >>> returns string|error { >>> >>> boolean isAuthorized; >>> >>> //get required cookie as config value >>> >>> string requiredCookie = config:getAsString(COOKIE_HEADER, >>> default = ""); >>> >>> //extraxt cookies from the incoming request >>> >>> string authHead = request.getHeader(COOKIE_HEADER); >>> >>> string[] cookies = authHead.trim().split(";"); >>> >>> foreach cookie in cookies{ >>> >>> io:println(cookie); >>> >>> string[] sessionIds = cookie.trim().split("="); >>> >>> string sessionId = sessionIds[1]; >>> >>> if (sessionId == requiredCookie){ >>> >>> return sessionId; >>> >>> } >>> >>> } >>> >>> error notFound = {message:"No matched cookie found"}; >>> >>> return notFound; >>> >>> } >>> >>> >>> >>> *Chamindu Udakara * >>> *Software engineering Intern* >>> WSO2 (University of Moratuwa) >>> *mobile *: *+94 755285531* | *email *: [email protected] >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Rajith Roshan* | Senior Software Engineer | WSO2 Inc. (m) +94-717-064-214 | (e) [email protected] <[email protected]> <https://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
