From 20a6b779c2601bb41e6718da21ac99d232cb2c61 Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 17 May 2022 14:30:30 -0600 Subject: add notes on CORS --- learn/authz/README.md | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/learn/authz/README.md b/learn/authz/README.md index f847cf7..ad701f3 100644 --- a/learn/authz/README.md +++ b/learn/authz/README.md @@ -107,7 +107,7 @@ Content-Type: application/json } ``` -Example Flow: +## API Gateway Example Flow ```plaintext ||======================================================|| @@ -234,6 +234,47 @@ Propagating User Context ||=====================|========================|| ``` + +* The API Gateway pattern is used to expose microservices to client applications + as APIs. +* The API gateway helps to expose microservices of different flavors by using a + consistent and easy-to-understand interface to the consumers of these + services. +* Protocols such as basic authn and mTLS are not sufficient to secure API's. +* An access token can be a reference token or a self-contained token (JWT). If + it is a reference token, the gateway has to talk to the issuer to validate it. +* Self contained tokens need short TTL's mitigate token revocation. + +### Same Origin Policy + +Cross origin resource sharing (CORS) is the exception to the same-origin policy. +It allows an app running on `localhost:4200` to access resources on +`localhost:8080`. Web browsers use the `OPTIONS` HTTP method along with special +HTTP headers to determine whether to allow or deny a cross-origin request. + +Before sending a request to a different origin the browser will send an HTTP +`OPTIONS` request to the resource on the particular origin. This is known as a +_preflight request_. The request includes the following HTTP headers: + +* `Access-Control-Request-Headers`: indicates the HTTP headers that the request + is about to send to the server. +* `Access-Control-Request-Method`: indicates the HTTP method about to be + executed by the request (e.g. `GET`). +* `Origin`: indicates the origin of the web application. (e.g. `http://localhost:4200`) + +The server responds to the preflight request with the following headers: + +* `Access-Control-Allow-Credentials`: indicates whether the server allows the + request originator to send credentials in the form of authorization headers, + cookies, or TLS client certificates. (e.g. `true` or `false`) +* `Access-Control-Allow-Headers`: indicates the list of headers allowed by the + particular resource on the server. +* `Access-Control-Allow-Methods`: indicates the list of HTTP methods allowed by + the particular resource on the server. +* `Access-Control-Allow-Origin`: indicates the cross-origin allowed by the + server. +* `Access-Control-Max-Age`: indicates for how long to cache the preflight request. + ## Glossary * PAP: Policy Administration Point. @@ -246,6 +287,9 @@ Propagating User Context * OP: OpenID Provider is the OAuth 2.0 Authorization Server that is capable of Authn and providing claims to a RP about the authn event and User. * STS: Security Token Service +* `X-Forwarded-For` HTTP header field is a common method for identifying the + originating IP address of a client connecting to a web server through an HTTP + proxy or load balancer. [1]: https://datatracker.ietf.org/doc/html/rfc7662#section-2 [2]: https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens -- cgit v1.2.3