uaa-behind-zuul-sample icon indicating copy to clipboard operation
uaa-behind-zuul-sample copied to clipboard
verified publisher icon kakawait

Make AuthServer stateless

Open yaytul opened this issue 9 years ago • 2 comments

As per discussion in issue #16, please refrain from using Http Session and make Authentication work stateless.

yaytul avatar Nov 07 '16 22:11 yaytul

I have to take in mind how to keep XRSF security and how to handle it without session. I think we can simply store needed information inside JWT token but I have to check.

Moreover api-gateway also create a session for XRSF it will be good to avoid it if possible.

Or if not switch to spring-session with dedicated store like redis

kakawait avatar Nov 08 '16 06:11 kakawait

@yaytul What is your use case? If you are going for a single page app with a set of ReST APIs and the resource owner credentials flow then you can remove the XSRF protection since it doesn't apply to ReST API. That would remove the need for the stateful HttpSessionCsrfTokenRepository.

kentoj avatar Apr 13 '17 15:04 kentoj