On Thu, Jan 17, 2019 at 2:06 PM Rajith Roshan <[email protected]> wrote:
> Hi Chamindu, > If we do use the opaque oauth token value as the cookie, then why do we > need it to be one of the values provided during the server start up. The > client should be able to get any token using /token endpoint and save it as > a cookie in their SPA and MGW should be able to validate the oauth token by > contacting KM (or etc) when ever its receives request from SPA with cookie > header. > I don't think we provide the token (value of it) during the startup. I think what we only do is to specify the name of cookie which bears the token (in its value). Because when submitting a request, the browser may submit multiple cookies to the gateway. In which case we need to know the name of the specific cookie which bears the token. > > Thanks! > Rajith > > On Tue, Jan 15, 2019 at 3:58 PM Ishara Cooray <[email protected]> wrote: > >> Hi Chamindu, >> Thanks for the clarification. >> >> 1. If the both headers are provided priority is given to "Authorization" >> header. Therefore it will go through path that specified for >> "Authorization" header. >> If some one needs both validations is it possible to achieve? >> >> 2. Yes. Basically the cookie sessionID is an Oauth2 token which contains >> expiry time. >> 3. No. From the given cookies if none of them are not valid then >> authentication will be failed. >> In that case how do we renew the cookie? >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> >> On Fri, Jan 11, 2019 at 10:46 AM Ishara Cooray <[email protected]> wrote: >> >>> Hi Chamindu, >>> Couple of questions came to my mind is >>> >>> 1. What will be the case if both headers are provided? Are we doing both >>> validations? >>> 2. Do we have a expiry time for this cookie. >>> 3.In the case of invalid cookie how can one obtain a new valid cookie? >>> >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> >>> On Fri, Jan 4, 2019 at 5:04 PM Chamindu Udakara <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> My project is to add cookie based authentication for micro-gateway. >>>> This is the approach that I have come up with. Please review and let me >>>> know what you think and please be kind enough to suggest your suggestions. >>>> >>>> Requirement >>>> >>>> Provide authentication for product micro-gateway with cookie based >>>> authentication which uses session HTTP cookies for authentication. >>>> >>>> Suggested Approach >>>> >>>> When an user invoke an API with a cookie, micro-gateway has to validate >>>> that cookie prior to the response. The list of cookies included in the HTTP >>>> request which use to authenticate, have to be extracted from the request. >>>> From all extracted cookies,their respective session ID value has to be >>>> extracted properly. >>>> >>>> The Authn filter will check incoming request to micro-gateway and >>>> determine whether it contains header as "Authorization" or header as >>>> "Cookie". If header is equals to "Cookie" then the cookie validation >>>> process will be executed and cookie will be validated. If not it will >>>> execute as a normal request which contains header as "Authorization". The >>>> session ID of the required cookie can be provided to server as a direct key >>>> value pair at the micro-gateway server startup. >>>> >>>> >>>> >>>> >>>> >>>> >>>> if (request.hasHeader(authHeaderName)) { >>>> >>>> authHeader = request.getHeader(authHeaderName); >>>> >>>> }else if (request.hasHeader(COOKIE_HEADER)){ >>>> >>>> //Authentiction with HTTP cookies >>>> >>>> CookieBasedAuth cookieBasedAuth = new CookieBasedAuth >>>> (); >>>> >>>> result = cookieBasedAuth.processRequest(listener, >>>> request, context); >>>> >>>> }else { >>>> >>>> log:printError("No authorization header was provided"); >>>> >>>> setErrorMessageToFilterContext(context, >>>> API_AUTH_MISSING_CREDENTIALS); >>>> >>>> sendErrorResponse(listener, request, untaint context); >>>> >>>> return false; >>>> >>>> } >>>> >>>> Above code segment will do that identification of header type of the >>>> coming request. Then the validation process will be done at the separate >>>> file named as* "cookie.bal"*. In this file the extraction of session >>>> Id and validation of that Id with given value at the server startup will be >>>> done. For that I have implemented a new function as "*ProcessRequest*" >>>> which returns a string or an error. If any of the cookies included in >>>> request is not equal to given Id then the validation process will be >>>> failed. If it fails, then it throws an error and authnFilter will be >>>> failed. If any of session Id of a cookie matches with given one then that >>>> id will be returned to authnFilter for further execution at authnFilter. >>>> >>>> public function processRequest(http:Listener listener, http:Request >>>> request, http:FilterContext context) >>>> >>>> returns string|error { >>>> >>>> boolean isAuthorized; >>>> >>>> //get required cookie as config value >>>> >>>> string requiredCookie = config:getAsString(COOKIE_HEADER, >>>> default = ""); >>>> >>>> //extraxt cookies from the incoming request >>>> >>>> string authHead = request.getHeader(COOKIE_HEADER); >>>> >>>> string[] cookies = authHead.trim().split(";"); >>>> >>>> foreach cookie in cookies{ >>>> >>>> io:println(cookie); >>>> >>>> string[] sessionIds = cookie.trim().split("="); >>>> >>>> string sessionId = sessionIds[1]; >>>> >>>> if (sessionId == requiredCookie){ >>>> >>>> return sessionId; >>>> >>>> } >>>> >>>> } >>>> >>>> error notFound = {message:"No matched cookie found"}; >>>> >>>> return notFound; >>>> >>>> } >>>> >>>> >>>> >>>> *Chamindu Udakara * >>>> *Software engineering Intern* >>>> WSO2 (University of Moratuwa) >>>> *mobile *: *+94 755285531* | *email *: [email protected] >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > *Rajith Roshan* | Senior Software Engineer | WSO2 Inc. > (m) +94-717-064-214 | (e) [email protected] <[email protected]> > > <https://wso2.com/signature> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Nuwan Dias* | Director | WSO2 Inc. (m) +94 777 775 729 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
