Hi Roshan, I have looked at the APIM 3.0.0-M7 security ilmplementation for store and publisher SPAs and it seems that it is using password grant_type and using "server-side" endpoints provided by apim server /login/token/publisher or /login/token/store. Do you agree or did I miss something ?
Thanks Cyril 2017-11-17 6:30 GMT+01:00 roshan wijesena <[email protected]>: > Can you please explain more about this API-proxy ? is it only for decrypt > the token? > > APIM 3.0.X has SPA's for it's publisher and store apps, have a look at > security implementation of it. AFAIK, there is a no API proxy in that > implementation. > > On Thu, Nov 16, 2017 at 11:06 PM, Thilina Madumal <[email protected]> > wrote: > >> Hi Devs, >> >> The idea of an API-Proxy for Single Page Applications is quite helpful in >> mitigating inherent security risks of keeping the access_token in the >> browser side as plain text. >> >> Here the idea is to keep the access_token encrypted and set in a cookie. >> API-Proxy will mediate all the calls for the third-party APIs by decrypting >> the access_token value and calling the requested third-party APIs with the >> decrypted access_token. >> >> This is a significantly valuable use-case for the SPAs where there is no >> attached server-side other than the container which is used to facilitate >> the initial page download. >> >> I'm in the requirement gathering phase. Would appreciate your suggestions >> on, >> >> - what are the nice to have capabilities in API-Proxy >> - what are the complexities that will arise while implementing this >> - how to achieve the third-party API call mediation >> - Is this a valid use-case >> - or is this a redundant effort >> - are there any alternatives >> - and etc. >> >> This is an open invitation to shoot whatever pops into your mind in this >> regards:) >> >> Thanks in advance. >> >> Cheers, >> Thilina >> -- >> *Thilina Madumal* >> *Software Engineer | **WSO2* >> Email: [email protected] >> Mobile: *+ <+94%2077%20767%201807>94 774553167* >> Web: <http://goog_716986954>http://wso2.com >> >> <http://wso2.com/signature> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
