I was trying to protect an angular application (single page application) with ISAM and I've discovered an undesired issue during its implementation. In this post I want to share with you the problem and I propose a possible workaround!
AAC module of ISAM gives the possibility to register an application under a specific API definition and to obtain a client_id and a client_secret. If the user wants to access to a resource that has been protected with oAuth2.0 it needs an access token.
The access token can be obtained as follow:
curl -v -k -i -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -d "username=testuser&password=Passw0rd&login-form-type=pwd" "https://isam_domain/pkmslogin.form"
curl -i -v -k -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -H Content-Type:application/x-www-form-urlencoded "https://isam_domain/mga/sps/oauth/oauth20/authorize?response_type=code&client_id=app&client_secret=app"
- curl -v -k -i -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -d "grant_type=authorization_code&code=RN5CiOkhJOKgj2TuuMD3xVpnKpkZeVrjOg86FdwdWs2j0WwZcdydWuMnhnQk&client_id=app&client_secret=app" "https://isam_domain/mga/sps/oauth/oauth20/token"
This is the message you will read if you use the same cookieJar (in order to simulate a single page application):
authenticated client id: [testuser] does not match the client id in the
request body: [app]."}
"app" is the name of the client that is associated with the API definition and "testuser" is the username of the authenticated user!
Angular applications run in browser and, as usual for browsers, each HTTP request is equipped with all the cookies that belongs to the same domain. Unfortunately /token endpoint doesn't work if we invoke it with a webseal session cookie PD-H-SESSION-ID (or PD-S-SESSION-ID) because it is expecting that the request comes from a mobile application (that natively doesn't support cookies). And at this point?! How to obtain an access_token into a JSON if I am using an application that runs into a browser??
At the moment I am using an HTTP transformation rule that removes the PD-H-SESSION-ID every time webseal receives a POST request from /mga/oauth/oauth20/token
<?xml version="1.0" encoding="UTF-8"?>
<xsl:strip-space elements="*" />
<Cookie name="PD-H-SESSION-ID" action="remove" />
At the moment everything is working well... but of course I think this is an ISSUE that IBM needs to face with as soon as possible because angular application are spreading rapidly!
What do you think about it? Do you have other ideas?