Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:42:26 +0000.
Sender:Anthony Ferrara
.
Date:Thursday, 7 January 2016 22:50:24 UTC.
Hey everyone.
We’re currently evaluating using Tyk as a gateway of a greenfield project that we’re working on. One of the assumptions that we’re using is that we have no server-side clients. The only clients are a single-page application and mobile. So we’d like to use OAuth2 for authentication.
However, to use OAuth2 securely for a single-page-app requires some interesting compromises. We were investigating using a proxy: http://alexbilbie.com/2014/11/oauth-and-javascript/
The basic idea is to store the bearer token and refresh token in an encrypted cookie that the single page application uses to communicate with the API. The proxy then decrypts the cookie and decorates the request with the appropriate headers. So to the API gateway, it looks like any other OAuth2 request. The proxy would also manage the refresh functionality transparently, and decorate the response with set-cookie as necessary.
One idea that came to mind would be to not build a proxy, but to add this functionality to the Tyk instance as a plugin. This comes with some interesting questions though.
-
Support for and performance of crypto primitives.
A library may fill this need
-
Lack of crypto secure random number source in JS (crypt/rand is not exposed to JS)
A patch to Tyk may be required to fill this need…
However, there are two far more serious questions:
-
Right now, it doesn’t appear that there’s a way to decorate or modify the return of the HTTP request that’s proxied (meaning that the “middleware” isn’t really middleware but a hook that happens before the request).
This means that setting an encrypted cookie would be impossible, since we can’t modify the response that’s sent back.
-
It doesn’t appear there’s a way to “capture” and resubmit a request.
So if the token is invalid, there’s no way to capture that error, update the token and then retry the request.
This seems like a blocker to this approach.
Is there something obvious I’m missing here? Is there a better approach to this that doesn’t require us to use two authentication methods or two proxies (an “id” proxy, and an “api” proxy)?
Thanks!
Anthony