About stuartruiz

stuartruiz · 03-13-2020

I am currently building a login app that implements the authorization code grant type (3-legged OAuth).I have it working, where a calling app calls a /authorize endpoint, the login app verifies credentials and gets an authorization code, then the log...

stuartruiz · 03-13-2020

I am building a login app that uses the authorization code grant type (3-legged OAuth) and am wondering how other people have solved the login app handling the public ClientId of the apigee app. The first two legs of the flow (/authorize and /authori...

stuartruiz · 06-10-2020

So it seems most of these solutions simply set the CORS headers to "*" allowing any, possibly malicious, user to access them. I see the logic in that these are simply error messages so the concern is lowered, but it feels like a possible security fla...

stuartruiz · 06-10-2020

So it seems most of these solutions simply set the CORS headers to "*" allowing any, possibly malicious, user to access them. I see the logic in that these are simply error messages so the concern is lowered, but it feels like a possible security fla...

stuartruiz · 03-16-2020

Ah, so we are taking advantage of the fact that only our internal apps have the secret key to our separate apigee app, and using that as a signature to verify only approved users are calling the /code endpoint. That makes sense. I saw in another reso...

stuartruiz · 03-13-2020

A lot to unpack here, greatly appreciate the in-depth explanation. Wouldn't the calling app and login app be two different Apigee Apps though? And thus an authorization code generated using ClientId+Secret of the Login app not be valid to create an a...

stuartruiz · 03-13-2020

Very informative response, thank you for taking the time. I like the simplicity of passing by header but that may have more to do with my unfamiliarity with Apigee than the solution's merits. I see the authorize session in the diagram you linked, but...

My Stats

stuartruiz's Bio

Badges stuartruiz Earned

Recent Activity

Questions on Security for Authorization Code Grant Type

Passing ClientId in 3-legged OAuth (Authorization Code Grant Type)

Re: Request to an Apigee API from angular 6 throwing 401 (Unauthorized) error

Re: Add headers (cors) to 401(etc) invalid token response

Re: Questions on Security for Authorization Code Grant Type

Re: Questions on Security for Authorization Code Grant Type

Re: Passing ClientId in 3-legged OAuth (Authorization Code Grant Type)