Hi APIM Team, Protecting access tokens in SPAs has been a complicated affair. Though there hasn't been a standard solution pattern for this problem, a cookie based protection approach is what most vendors follow.
With APIM 3.x.x we are supporting cookie based access tokens to protect the API Store/Publisher Rest APIs. However, since this implementation has been done in API Store/Publisher backend, it cannot be reused for regular APIs hosted on the API Gateway. I was wondering if we can support this as a standard protection mechanism for other APIs as well. *Steps* 1. Intercept the token response from authorization server in the API Gateway. 2. Modify the token response in the gateway by splitting the access token and writing one half to a "httponly" cookie, and other half to a "non-httponly" cookie or leave it in the token response body. 3. When the SPA calls an API by setting part of the access token which it has access to, in the authroziation header, the gateway will join the other half it reads from the "httponly" cookie, and introspect with the authorization server. 4. The current API Store/Publisher Rest APIs can also be proxied via the gateway to obtain same functionality. Thoughts? Thanks & Regards, Johann. -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture