Hi Roshan,
On Fri, Nov 17, 2017 at 11:00 AM, roshan wijesena <[email protected]> wrote: > Can you please explain more about this API-proxy ? is it only for decrypt > the token? > Actually this proxy has two parts, LoginProxy and APIProxy. LoginProxy part do the authentication and autherization of the user on behalf of SPA. APIProxy mediates the calls to third-party APIs as requested by the SPA by decrypting the access_token. The ultimate goal is, when developing a SPA where there is no attached server-side, the devloper just needs to calll the necessary APIs of the proxy. Then the proxy will do the rest. > > APIM 3.0.X has SPA's for it's publisher and store apps, have a look at > security implementation of it. AFAIK, there is a no API proxy in that > implementation. > > On Thu, Nov 16, 2017 at 11:06 PM, Thilina Madumal <[email protected]> > wrote: > >> Hi Devs, >> >> The idea of an API-Proxy for Single Page Applications is quite helpful in >> mitigating inherent security risks of keeping the access_token in the >> browser side as plain text. >> >> Here the idea is to keep the access_token encrypted and set in a cookie. >> API-Proxy will mediate all the calls for the third-party APIs by decrypting >> the access_token value and calling the requested third-party APIs with the >> decrypted access_token. >> >> This is a significantly valuable use-case for the SPAs where there is no >> attached server-side other than the container which is used to facilitate >> the initial page download. >> >> I'm in the requirement gathering phase. Would appreciate your suggestions >> on, >> >> - what are the nice to have capabilities in API-Proxy >> - what are the complexities that will arise while implementing this >> - how to achieve the third-party API call mediation >> - Is this a valid use-case >> - or is this a redundant effort >> - are there any alternatives >> - and etc. >> >> This is an open invitation to shoot whatever pops into your mind in this >> regards:) >> >> Thanks in advance. >> >> Cheers, >> Thilina >> -- >> *Thilina Madumal* >> *Software Engineer | **WSO2* >> Email: [email protected] >> Mobile: *+ <+94%2077%20767%201807>94 774553167* >> Web: <http://goog_716986954>http://wso2.com >> >> <http://wso2.com/signature> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
