OAuth Authentication and Reverse Proxy managed cookies to maintain session and state

While REST conventions do not exclude sessions and associated cookies for tracking state, their use and dependency should generally be minimized.

However, the Authentication Service Framework is designed to support traditional browser client use cases in addition to REST API clients. The framework also integrates with Context Based Authorization (CBA) policy enforcement, which has some dependency on server-side state maintenance. This section discusses configuration-based options that remove the need for clients to maintain and track session cookies associated with the Authentication Service Framework.

For general REST API use cases, OAuth usage has become standard for authorized access to API resources. The Security Access Manager appliance-based reverse proxy supports a configuration option named oauthauth. Its associated settings enable the reverse proxy point of contact to treat issued OAuth bearer tokens as a form of authentication. The reverse proxy can manage and reference authenticated sessions based on the presence on an OAuth access token within the "Authorization" header of a client request. This feature effectively obviates the need for clients to include PD* cookies that represent an authenticated session.

The following reverse proxy configuration file options are suggested:

easenabled = false
oauthauth = https
requirempa = no

[session-http-headers]
Authorization = https

The managed cookies list feature enables the reverse proxy to manage protected resource cookies on behalf of the client. As a result, cookies returned from a protected backend resource server are not seen by the requesting client. Instead, the reverse proxy manages and sends these cookies as needed on the client behalf. When OAuthAuth is combined with the reverse proxy managed cookies, the need for the client to maintain cookies is removed. The combined settings also result in a typical OAuth client design and implementation where a valid access token enables access to protected resources.

The following reverse proxy configuration file options are suggested to support reverse proxy managed client sessions:

[junction:/mgaapi]
managedcookieslist
= *JSESSIONID*,PD_*
Parent topic: Authentication Service Framework for REST API clients
Related reference:
eas-enabled
oauth-auth
require-mpa
header_name
managed-cookies-list