Identity Patterns with the WSO2 Identity Server
Single Page Application (SPA) proxy
Problem:
Single Page Application (SPA) proxy
Problem:
- Authenticate users to a single page application in a secure manner, via OAuth 2.0.
- The SPA accessing an OAuth-secured API, the access token must be made invisible to the end-user.
- The SPA accessing an OAuth-secured API, the client (or the SPA) must be authenticated in a legitimate manner.
- There are multiple ways to secure an SPA and this presentation covers some options: http://www.slideshare.net/prabathsiriwardena/securing-singlepage-applications-with-oauth-20
- This explains the SPA proxy pattern, where a proxy is introduced, and the calls from the SPA will be routed through the proxy.
- Build an SPA proxy and deploy it in WSO2 Identity Server. A sample proxy app is available at https://github.com/facilelogin/aratuwa/tree/master/oauth2.0-apps.
- The SPA proxy must be registered in the WSO2 Identity Server as a service provider, having OAuth inbound authenticator.
- To make the SPA proxy stateless, the access_token and the id_token obtained from the WSO2 Identity Server (after the OAuth flow) are encrypted and set as a cookie.
- Products: WSO2 Identity Server 5.0.0+
