Hi Thilina, Can you try implementing this with Ballerina. This should be a simple case for Ballerina.
Cheers, Ruwan On Fri, Nov 17, 2017 at 11:16 AM, Thilina Madumal <[email protected]> wrote: > Hi Roshan, > > > On Fri, Nov 17, 2017 at 11:00 AM, roshan wijesena <[email protected]> > wrote: > >> Can you please explain more about this API-proxy ? is it only for decrypt >> the token? >> > > Actually this proxy has two parts, LoginProxy and APIProxy. > LoginProxy part do the authentication and autherization of the user on > behalf of SPA. > APIProxy mediates the calls to third-party APIs as requested by the SPA by > decrypting the access_token. > > The ultimate goal is, when developing a SPA where there is no attached > server-side, the devloper just needs to calll the necessary APIs of the > proxy. > Then the proxy will do the rest. > > >> >> APIM 3.0.X has SPA's for it's publisher and store apps, have a look at >> security implementation of it. AFAIK, there is a no API proxy in that >> implementation. >> >> On Thu, Nov 16, 2017 at 11:06 PM, Thilina Madumal <[email protected]> >> wrote: >> >>> Hi Devs, >>> >>> The idea of an API-Proxy for Single Page Applications is quite helpful >>> in mitigating inherent security risks of keeping the access_token in the >>> browser side as plain text. >>> >>> Here the idea is to keep the access_token encrypted and set in a cookie. >>> API-Proxy will mediate all the calls for the third-party APIs by decrypting >>> the access_token value and calling the requested third-party APIs with the >>> decrypted access_token. >>> >>> This is a significantly valuable use-case for the SPAs where there is no >>> attached server-side other than the container which is used to facilitate >>> the initial page download. >>> >>> I'm in the requirement gathering phase. Would appreciate your >>> suggestions on, >>> >>> - what are the nice to have capabilities in API-Proxy >>> - what are the complexities that will arise while implementing this >>> - how to achieve the third-party API call mediation >>> - Is this a valid use-case >>> - or is this a redundant effort >>> - are there any alternatives >>> - and etc. >>> >>> This is an open invitation to shoot whatever pops into your mind in this >>> regards:) >>> >>> Thanks in advance. >>> >>> Cheers, >>> Thilina >>> -- >>> *Thilina Madumal* >>> *Software Engineer | **WSO2* >>> Email: [email protected] >>> Mobile: *+ <+94%2077%20767%201807>94 774553167* >>> Web: <http://goog_716986954>http://wso2.com >>> >>> <http://wso2.com/signature> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > > -- > *Thilina Madumal* > *Software Engineer | **WSO2* > Email: [email protected] > Mobile: *+ <+94%2077%20767%201807>94 774553167* > Web: <http://goog_716986954>http://wso2.com > > <http://wso2.com/signature> > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Ruwan Abeykoon* *Associate Director/Architect**,* *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * *lean.enterprise.middleware.*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
