Closed gnulib closed 8 years ago
Actually, on Devportal backend, we are not using security filter, only using RBAC filter. So cannot do code grant (because only when security filter is applied is when we configure endpoints to listen on /openid/login endpoint). So need to implement endpoint to handle code grant explicitly.
problem with this flow is that access token granted to developer portal service app is being exposed to client side script, potentially over clear text. This is absolutely HUGE security issue.
Cannot do this flow. will revert to original design, i.e., let user call the API with their own access token granted to end point app, and then let backend app use the same token for any subsequent requests, except for tenant management, where it will use its own service token.
Also, endpoint app cannot validate token granted to service app. so another road blocker.
Will not implement this.
need to change token grant to type
code
and use developer portal's redirect url for authorization code grant.so, flow would be like:
developer.integratingfactor.com
, redirect url ashttps://dev-portal.appspot.com
and realm=local host info