the1mills
commented
9 years ago I should add that we aren't directly forwarding, we process a request in server A and then use the NPM request module to create a new request to server B
Closed the1mills closed 9 years ago
the1mills
commented
9 years ago I should add that we aren't directly forwarding, we process a request in server A and then use the NPM request module to create a new request to server B
jaredhanson
commented
9 years ago Is this related to passport-github specifically?
the1mills
commented
9 years ago No sir it is not
jaredhanson
commented
9 years ago Could you move this to a better forum for discussion then?
Your question is about how security and credentials are maintained in a larger inter-service architecture. Passport can be used as a part of the implementation there, but such details are an application's own responsibility. If you want my feedback directly, you can email me and I'll reply as time and priorities permit.
simison
commented
9 years ago @the1mills perhaps post to http://security.stackexchange.com/ ?
the1mills
commented
9 years ago thanks, yeah I posted to programmers.stackexchange, but maybe a good idea to repost to security.stackexchange..@jaredhanson if I can't get a good answer in a week I will bother you then but I know you get overwhelmed with requests for this lib
the1mills
commented
9 years ago ok I added it on security.stackexchange:
thanks
jared
commented
9 years ago He's not the only one who gets overwhelmed -- the perils of being the first Jared on github I guess...
the1mills
commented
9 years ago sorry original jared, I did correct it as soon as I realized! too late
hi Jared, we are using passport with a couple of Node.js servers at a startup - but we have some questions about how to use passport with proxy requests.
We aren't currently using this exactly - but imagine for the moment that we are: https://www.npmjs.com/package/express-http-proxy
Are you willing to provide any info as to best practices regarding a browser request to server A which in turn makes a request to server B - we want the same client to be authenticated in the same way on both servers. Currently if the web client makes a request directly to both servers, the client is authenticated, but if he authenticates with A and then A sends a request to server B, then of course, that second request contains none of the auth info that is needed to authenticate the client on server B.
Considering we own both servers A and B, should we just include the headers and cookies from the original request in our request from server A to B?
is this considered a good practice? Any info would be helpful, thanks!