Add accessToken support

[ritch]

Clients should set the Authorization header using the current user's accessToken.id. This will require a couple of new APIs in loopback and strong-remoting.

Related: strongloop/strong-remoting#105 and strongloop/loopback-example-offline-sync#45

[bajtos]

To support OAuth2-based authentication, the connector should probably support authentication via cookies too.

[bajtos]

strongloop/strong-remoting#105 (comment)
I find this rather difficult to use, it took me quite a lot of debugging to find out where exactly the token should be set. I think we should add some sugar API to make this easier

app.dataSources.remote.connector.remotes.auth = {
  bearer: new Buffer(token).toString('base64'),
  sendImmediately: true
};

[BerkeleyTrue]

👍 for sugar

[bajtos]

Ideally, the connector should detect login and logout methods and update the access token automatically. Perhaps emit an event so that user code can install an event handler to persist the token in the local storage.

[lius]

The subject discussed here applies to the following scenario?

A user (using a client/browser) needs to access a model that do not exists in backend "local" database, which access another LB instance through remote connector to fetch the data.

Problem: the first backend (who receives browser requests) needs to access the remote one using the user access token, so the remote ACLs, validation and business logic could apply correctly. If I understand well, the access token used by remote connector is done at datasource level (e.g. in a boot script), but in this scenario it should be done dynamically, according to the access token sent by the browser for each concurrent request.

[bajtos]

Problem: the first backend (who receives browser requests) needs to access the remote one using the user access token, so the remote ACLs, validation and business logic could apply correctly. If I understand well, the access token used by remote connector is done at datasource level (e.g. in a boot script), but in this scenario it should be done dynamically, according to the access token sent by the browser for each concurrent request.

So you have a proxy-like server that receives a client request from a browser and you want to forward it to another loopback backend, while preserving the identity (authentication) of the client that made the request. Like for example, to forward the Authentication header. Is my understanding correct?

The discussion above deals only with the client side (e.g. in the browser), so that User.login automatically updates the authentication settings for all subsequent requests made through the same datasource.

[lius]

@bajtos Ok, thanks. The scenario I mentioned is ok conceptually and should be moved to another issue on remote connector?

[bajtos]

@lius The scenario I mentioned is ok conceptually and should be moved to another issue on remote connector?

Yes please.

[waldemarzahn]

hi @ALL
i have the same problem with some different loopback apis. I have implemented a small middleware to handle the auth token with different remote apis.

https://www.npmjs.com/package/loopback-rest-remote-auth-token

Tests are very welcome ;)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.