Hi Dushan, On Wed, Sep 4, 2019 at 10:54 AM Dushan Silva <[email protected]> wrote:
> Hi Johann, > AFAIK we are using #2 and a similar mechanism using jaggery for the APIM > 3.x.x store/publisher. > > I'm a bit unclear on what do you mean by *"other APIs". * > I meant the actual customer APIs which will be published from API Publisher and hosted on the API Gateway and managed by the API Manager. If these APIs are going to be consumed by a 3rd party SPA above protection mechanism can be useful. If we do it at the API Gateway layer, then we don't need to handle it specially in the Jaggery layer for the Store/Publisher Rest APIs. Those also can be proxied through the API Gateway and get the same protection mechanism. Thanks & Regards, Johann. > On Wed, Sep 4, 2019 at 10:47 AM Johann Nallathamby <[email protected]> > wrote: > >> Hi APIM Team, >> >> Protecting access tokens in SPAs has been a complicated affair. Though >> there hasn't been a standard solution pattern for this problem, a cookie >> based protection approach is what most vendors follow. >> >> With APIM 3.x.x we are supporting cookie based access tokens to protect >> the API Store/Publisher Rest APIs. However, since this implementation has >> been done in API Store/Publisher backend, it cannot be reused for regular >> APIs hosted on the API Gateway. I was wondering if we can support this as a >> standard protection mechanism for other APIs as well. >> >> *Steps* >> >> 1. Intercept the token response from authorization server in the API >> Gateway. >> 2. Modify the token response in the gateway by splitting the access token >> and writing one half to a "httponly" cookie, and other half to a >> "non-httponly" cookie or leave it in the token response body. >> 3. When the SPA calls an API by setting part of the access token which it >> has access to, in the authroziation header, the gateway will join the other >> half it reads from the "httponly" cookie, and introspect with the >> authorization server. >> 4. The current API Store/Publisher Rest APIs can also be proxied via the >> gateway to obtain same functionality. >> >> Thoughts? >> >> Thanks & Regards, >> Johann. >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >> [image: Signature.jpg] >> > > > -- > Best Regards > Dushan Silva > Software Engineer > > *WSO2, Inc. * > > lean . enterprise . middleware > Mob: +94 774 979042 > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
