Background
I’ve been experimenting with an Ember CLI app as a client to a platform that exposes various services via REST APIs. The platform supports OAuth2 & JWT and, according to their documentation, the client should follow the implicit grant flow.
Problem
The client needs to manage session handling that includes anonymous users (as well as authenticated users). All services require an Authorization: Bearer accessToken header to be present on requests to the API, even if the user is not authenticated. To get a token the following request is made:
GET /auth/anonymous/login
Example response:
{
"access_token" : "#####-#####-#####-#####-#####-#####",
"expires_in" : 3600,
"token_type" : "Bearer",
"scope" : "api-namespace.tenant=my-app"
}
My Thoughts
Because the platform supports OAuth2 & JWT, I have taken a look at Ember Simple Auth Token for authenticating users. This part of the integration has gone well.
Due to the anonymous login and all API calls needing an authorization header I’ve been experimenting with a few concepts; my current line of thinking is:
- Create an
anonymous-sessionservice that encapsulates the response from the anonymous login endpoint - Create an initializer that checks for an authenticated session
- When no session is found - call the anonymous login endpoint and write the response to
anonymous-session. -
anonymous-sessionis then injected into the application adapter and conditionally used to override theheadersproperty of the application adapter.
I’ll give this a shot, but would love to hear any criticism of this design or if others have implemented similar workflows, I’d appreciate the wisdom.
Thanks.