Hi Ruwan,
On Fri, Nov 17, 2017 at 11:20 AM, Ruwan Abeykoon <[email protected]> wrote: > Hi Thilina, > Can you try implementing this with Ballerina. This should be a simple case > for Ballerina. > Yep, I'm looking into it. > > Cheers, > Ruwan > > On Fri, Nov 17, 2017 at 11:16 AM, Thilina Madumal <[email protected]> > wrote: > >> Hi Roshan, >> >> >> On Fri, Nov 17, 2017 at 11:00 AM, roshan wijesena <[email protected]> >> wrote: >> >>> Can you please explain more about this API-proxy ? is it only for >>> decrypt the token? >>> >> >> Actually this proxy has two parts, LoginProxy and APIProxy. >> LoginProxy part do the authentication and autherization of the user on >> behalf of SPA. >> APIProxy mediates the calls to third-party APIs as requested by the SPA >> by decrypting the access_token. >> >> The ultimate goal is, when developing a SPA where there is no attached >> server-side, the devloper just needs to calll the necessary APIs of the >> proxy. >> Then the proxy will do the rest. >> >> >>> >>> APIM 3.0.X has SPA's for it's publisher and store apps, have a look at >>> security implementation of it. AFAIK, there is a no API proxy in that >>> implementation. >>> >>> On Thu, Nov 16, 2017 at 11:06 PM, Thilina Madumal <[email protected]> >>> wrote: >>> >>>> Hi Devs, >>>> >>>> The idea of an API-Proxy for Single Page Applications is quite helpful >>>> in mitigating inherent security risks of keeping the access_token in the >>>> browser side as plain text. >>>> >>>> Here the idea is to keep the access_token encrypted and set in a >>>> cookie. API-Proxy will mediate all the calls for the third-party APIs by >>>> decrypting the access_token value and calling the requested third-party >>>> APIs with the decrypted access_token. >>>> >>>> This is a significantly valuable use-case for the SPAs where there is >>>> no attached server-side other than the container which is used to >>>> facilitate the initial page download. >>>> >>>> I'm in the requirement gathering phase. Would appreciate your >>>> suggestions on, >>>> >>>> - what are the nice to have capabilities in API-Proxy >>>> - what are the complexities that will arise while implementing this >>>> - how to achieve the third-party API call mediation >>>> - Is this a valid use-case >>>> - or is this a redundant effort >>>> - are there any alternatives >>>> - and etc. >>>> >>>> This is an open invitation to shoot whatever pops into your mind in >>>> this regards:) >>>> >>>> Thanks in advance. >>>> >>>> Cheers, >>>> Thilina >>>> -- >>>> *Thilina Madumal* >>>> *Software Engineer | **WSO2* >>>> Email: [email protected] >>>> Mobile: *+ <+94%2077%20767%201807>94 774553167* >>>> Web: <http://goog_716986954>http://wso2.com >>>> >>>> <http://wso2.com/signature> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> >> >> -- >> *Thilina Madumal* >> *Software Engineer | **WSO2* >> Email: [email protected] >> Mobile: *+ <+94%2077%20767%201807>94 774553167* >> Web: <http://goog_716986954>http://wso2.com >> >> <http://wso2.com/signature> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > Thanks, Thilina -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
