This Blog Is Not Updated Any More.

Check out my new blog on Medium: http://facilelogin.com

Topics: Identity and Access Management, Blockchain, Ethereum, Bitcoin, Security, PSD2, GDPR



Thursday, March 24, 2016

Identity Patterns with the WSO2 Identity Server
Single Page Application (SPA) proxy

Problem:
  • Authenticate users to a single page application in a secure manner, via OAuth 2.0. 
  • The SPA accessing an OAuth-secured API, the access token must be made invisible to the end-user. 
  • The SPA accessing an OAuth-secured API, the client (or the SPA) must be authenticated in a legitimate manner.
Solution:
  • There are multiple ways to secure an SPA and this presentation covers some options: http://www.slideshare.net/prabathsiriwardena/securing-singlepage-applications-with-oauth-20 
  • This explains the SPA proxy pattern, where a proxy is introduced, and the calls from the SPA will be routed through the proxy. 
  • Build an SPA proxy and deploy it in WSO2 Identity Server. A sample proxy app is available at https://github.com/facilelogin/aratuwa/tree/master/oauth2.0-apps. 
  • The SPA proxy must be registered in the WSO2 Identity Server as a service provider, having OAuth inbound authenticator. 
  • To make the SPA proxy stateless, the access_token and the id_token obtained from the WSO2 Identity Server (after the OAuth flow) are encrypted and set as a cookie. 
  • Products: WSO2 Identity Server 5.0.0+ 

0 comments: