Handle Anonymous User Authorization & Session


#1

Background

I’ve been experimenting with an Ember CLI app as a client to a platform that exposes various services via REST APIs. The platform supports OAuth2 & JWT and, according to their documentation, the client should follow the implicit grant flow.

Problem

The client needs to manage session handling that includes anonymous users (as well as authenticated users). All services require an Authorization: Bearer accessToken header to be present on requests to the API, even if the user is not authenticated. To get a token the following request is made:

GET /auth/anonymous/login

Example response:

{
  "access_token" : "#####-#####-#####-#####-#####-#####",
  "expires_in" : 3600,
  "token_type" : "Bearer",
  "scope" : "api-namespace.tenant=my-app"
}

My Thoughts

Because the platform supports OAuth2 & JWT, I have taken a look at Ember Simple Auth Token for authenticating users. This part of the integration has gone well.

Due to the anonymous login and all API calls needing an authorization header I’ve been experimenting with a few concepts; my current line of thinking is:

  • Create an anonymous-session service that encapsulates the response from the anonymous login endpoint
  • Create an initializer that checks for an authenticated session
  • When no session is found - call the anonymous login endpoint and write the response to anonymous-session.
  • anonymous-session is then injected into the application adapter and conditionally used to override the headers property of the application adapter.

I’ll give this a shot, but would love to hear any criticism of this design or if others have implemented similar workflows, I’d appreciate the wisdom.

Thanks.