Integratingfactor / integratingfactor.github.io

Developer documentation for Integratingfactor.com
0 stars 0 forks source link

change access token grant to code #7

Closed gnulib closed 8 years ago

gnulib commented 8 years ago

need to change token grant to type code and use developer portal's redirect url for authorization code grant.

so, flow would be like:

  1. admin UI requests token grant with type code, client id developer.integratingfactor.com, redirect url as https://dev-portal.appspot.com and realm=local host info
  2. IDP grants authorization code and redirects to developer portal's redirect url
  3. dev portal performs authorization code grant request to obtain access token
  4. dev portal redirects back to realm provided local host info with access token info to continue operation

last step above is only needed because we are serving UI from different location. If UI is being served from dev portal, then this is not needed, dev portal just serves new UI after code grant redirect (and access token success)

gnulib commented 8 years ago

Actually, on Devportal backend, we are not using security filter, only using RBAC filter. So cannot do code grant (because only when security filter is applied is when we configure endpoints to listen on /openid/login endpoint). So need to implement endpoint to handle code grant explicitly.

gnulib commented 8 years ago

problem with this flow is that access token granted to developer portal service app is being exposed to client side script, potentially over clear text. This is absolutely HUGE security issue.

Cannot do this flow. will revert to original design, i.e., let user call the API with their own access token granted to end point app, and then let backend app use the same token for any subsequent requests, except for tenant management, where it will use its own service token.

gnulib commented 8 years ago

Also, endpoint app cannot validate token granted to service app. so another road blocker.

gnulib commented 8 years ago

Will not implement this.