on 04-26-2021 11:01 AM
Greeting,
I have a server built on express.js. I implemented basic authentication flow in my application using local strategy from passport.
The user sends a POST request for signup on my server. I save the credentials in my HANA database after encryption.
When user sends a login request it checks for the credentials in Hana and sends the appropriate response to the user. This is my current flow.
I was exploring XSSEC module in Nodejs and I tried to implement it. I'm using a default strategy which I found in the example
app.use(passport.initialize());
passport.use("JWT", new xssec.JWTStrategy(xsenv.getServices({
uaa: {
tag: "xsuaa"
}
}).uaa));
When I tried to access my dummy route (GET"/dummy") it sends me unauthorised response in postman. After exploration I was able to get the token from UAA instance.
While doing the configuration of my postman request I have to send my credentials in Access Token URL : /oauth/token?grant_type=password&username=dummy@dummy.com&password=dummy
These are my SAP Cloud Platform credentials if its wrong then I'll not be able to get the token.
My question:
My application is hosted on SAP Cloud Platform and the users are general public. The application is very similar to Facebook or Twitter.
I want to use my HANA database as a source instead of SAP Cloud platform. How do I do that ? Is it possible, or should I continue with my current implementation?
I hope the question is clear, if not let me know in the comments.
Thanks
Hi,
first: yes, you should protect your server endpoints with xssec and JWTStrategy
second: to authenticate, there are several possibilities. Not required to send pw in URL.
Typically, user´-centric applications do use the approuter. User will hit approuter and the approuter will help with login. Approuter takes care to send login-screen.
There's a little series of tutorials for approuter-beginners, please check here:
https://blogs.sap.com/2019/06/13/sap-cloud-platform-backend-service-tutorial-24-understanding-app-ro...
I can send you few more examples for securing your app endpoint with JWTStrategy.
However, I cannot answer your question where your users are stored. The XSUAA-server is connected to an IDP which stores your users, so you wouldn't do it manually.
If you try it in Trial, you can add users manually in the Cloud Platform cockpit
Cheers,
Carlos
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Question:
As I can't add my users manually in production Cloud Platform cockpit, the application can have 10s of thousands of active users.
Is seems IDP is required if I want to use XSUAA and xssec node module. If I don't have it, then either I create my own custom IDP or do not use XSUAA for my app.
Is my understanding correct ?
Thanks.
User | Count |
---|---|
67 | |
8 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.