Hi all, We are trying to implement password grant type based authentication for publisher and store apps in APIM. Initially consumer key and secret for publisher and store apps will be created from external key manager(IS) through DCR (Dynamic client registration) Any user accessing the publisher or store micro services would require to login using either publisher or store apps.
During the login process access token will be requested from key manager and sent in as cookies in the response. We will split the access token in to two parts and one part will be stored as "HttpOnly" cookie which can not be accessed from javascript (front end). other part will be stored in a normal cookie. These cookies will be set to the domain and the context (/publisher or /store) so all the following requests would contain these two cookies for a particular app. So when a particular UUF page is requested we need to check whether this cookies are present in the request. If so resources will be fetched from micro services. Here through the interceptor access token will be re created using cookies and validates with the key manager. If the cookies are missing in the request we need to redirect to the login page. Now we have implemented a micro service (bind with publisher uuf app) which will be called for a login request. This will provide a response with cookies. What we tried to do is to check for this cookies for each and every page request that comes to the uuf app. Thanks! Rajith On Mon, Feb 6, 2017 at 4:28 PM, Manuranga Perera <[email protected]> wrote: > @Rajith > Is that true, are you doing auth in frontend (btw what app is this?) > Then why do you need cookies? You just have to send auth header [1] ? > > [1] https://docs.google.com/drawings/d/1wtiF_ > UK2e4sZVorvfBUZh2UCaZq9sTCGoaDojSdwp7I/edit > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : [email protected] > -- Rajith Roshan Software Engineer, WSO2 Inc. Mobile: +94-72-642-8350 <%2B94-71-554-8430>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
