Can you please explain more about this API-proxy ? is it only for decrypt the token?
APIM 3.0.X has SPA's for it's publisher and store apps, have a look at security implementation of it. AFAIK, there is a no API proxy in that implementation. On Thu, Nov 16, 2017 at 11:06 PM, Thilina Madumal <[email protected]> wrote: > Hi Devs, > > The idea of an API-Proxy for Single Page Applications is quite helpful in > mitigating inherent security risks of keeping the access_token in the > browser side as plain text. > > Here the idea is to keep the access_token encrypted and set in a cookie. > API-Proxy will mediate all the calls for the third-party APIs by decrypting > the access_token value and calling the requested third-party APIs with the > decrypted access_token. > > This is a significantly valuable use-case for the SPAs where there is no > attached server-side other than the container which is used to facilitate > the initial page download. > > I'm in the requirement gathering phase. Would appreciate your suggestions > on, > > - what are the nice to have capabilities in API-Proxy > - what are the complexities that will arise while implementing this > - how to achieve the third-party API call mediation > - Is this a valid use-case > - or is this a redundant effort > - are there any alternatives > - and etc. > > This is an open invitation to shoot whatever pops into your mind in this > regards:) > > Thanks in advance. > > Cheers, > Thilina > -- > *Thilina Madumal* > *Software Engineer | **WSO2* > Email: [email protected] > Mobile: *+ <+94%2077%20767%201807>94 774553167* > Web: <http://goog_716986954>http://wso2.com > > <http://wso2.com/signature> > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
