As far as I understood, you have your frontend and backend applications separated. If your frontend is a static web-app and not being served by the same backend application (server), and your backend is a simple REST API – then you would have two Keycloak clients configured: public client for the frontend app. It would … Read more
There are actually two OAuth specifications, the 3-legged version and the 2-legged version. The 3-legged version is the one that gets most of the attention. The 2-legged version does exactly what you want initially, it allows an application to grant access to another via either a shared secret key (very similar to Amazon’s Web Service … Read more
You don’t need to push the user’s ID via ajax. You should, on the server side, use the fbsr_{app_id} cookie which holds the signed_request. Parse this signed_request using your ‘secret’ app_secret issued by FB to get the ‘user_id’. NOTE: a successful parse also shows that the cookie data provided by FB is not tampered with. … Read more
TL;DR Some header names such as Authorization have special rules about caching as well as proxy & client handling; your custom header names would not get the special behavior unless you modified every single proxy & client. The point of using the common Authorization: <type> <value> header as defined in RFC7234 is mostly to ensure … Read more
There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation. 1. Use Java EE provided container managed authentication Just declare a <security-constraint> in web.xml which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL … Read more
The best bet for you is Spring Security. That would help you achieve authorization is much simpler manner. Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically. Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my … Read more
For coarse-grained security, you might find the inbuilt principal code useful; the user object (and their roles) are controlled in .NET by the “principal”, but usefully the runtime itself can enforce this. The implementation of a principal can be implementation-defined, and you can usually inject your own; for example in WCF. To see the runtime … Read more
Use the Authorize attribute [Authorize] public ActionResult MyAction() { //stuff } You can also use this on the controller. Can pass in users or roles too. If you want something with a little more control, you could try something like this. public class CustomAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { string[] users … Read more
Whether to use cookie authentication or (bearer) tokens still depends on the type of app you have. And as far as I know there aren’t any best practice yet. But since you are working on a SPA, and are already using a JWT library, I would favor the token based approach. Unfortunately, I cannot help … Read more
What worked for me was much more simpler: Rules > Automatically Authenticate