Usage: Browser App to Resource Server Requirements
- Steven Maglio
Background & Business Value
This is the same use case as Usage: Browser App w/ User to Resource Server Requirements, except that the Browser (instead of the Web Application Server) will be making calls directly to the API Gateway. As such, this means that the Web App Authentication/Access Token will need to be available within the browser. This is a security risk as browsers are insecure endpoints. The Campus API Gateway team would not suggest using this scenario and would alternatively suggest using the scenario described in Usage: Browser App w/ User to Resource Server Requirements. However, if the risk is acceptable to your application, then ...
Real World Scenario: An Engineering browser application needs to look up the registrations status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be looked up (ie. the Engineering web app call only look up Engineering students).
Goals
Out of Scope
Assumptions
Requirements
Must meet all requirements of Usage: Application to Resource Server Requirements
| Ticket(s) | Title | User Story | Priority | Notes |
|---|---|---|---|---|
| Access Tokens used in Browser | As an Application Developer, the authentication/access tokens generated by the authentication system will need to be used from the browser. | MUST HAVE |
| |
User Interaction, Design & Architecture
Please refer to Usage: Application to Resource Server Requirements for a comparison with the standard use case.
Please refer to Usage: Browser App to Campus API Gateway Requirements for a comparison of how a Browser changes the standard usage of the Authentication/Access Token.
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
| Question | Outcome | Decision Date |
|---|---|---|