Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.

How to authenticate frontend application in AEM 6.5.13 in AMS

Avatar

Level 9

I want to export AEM content to frontend team. Planning to export content using content as service. For security reason we want to authenticate AEM APIs and AEM Assets. For example. /content/my-site/welcome.modal.json and it is DAM assets to be accessible by the frontend application.

 

In AEMaaCS we can authentication token from develop console which then can be shared to frontend team. In case of AMS, AEM 6.513 world, what token to be shared to frontend/external application? Does AEM 6.5 provide any OOTB authentication service to validate the frontend/external application ?

9 Replies

Avatar

Level 9

How about using apache sling referrer filter in AEM. AEM will reject the request if we are not allowing the front end application in "Allow Host"

Is this not sufficient to control frontend application ? Do we really oauth kind of authentication?

Avatar

Employee Advisor

When you write "authentication service to validate the frontend/external application", does that mean that the user (which is using this frontend application) is not required to authenticate, but only the application itself?

 

In other words, do you want to only your frontend application can access AEM content? And that it should not be possible that I can download the same content using curl (or any HTTP client)?

Avatar

Level 9

Yeah, I want only frontend application to access the AEM Content. Basically I have react app that will call AEM to get the content along with DAM assets. I want to allow only the react forntend to access the aem content. My aem content should be accessible other than the frontend application.

 

Can we control this at dispathcer config level or Should we write any services in aem to authenticate the caller (in this case it is react frontend application)

Avatar

Employee Advisor

No, it is not possible. If you want to your SPA to authenticate at AEM (the SPA, not the user!) then you need to store some token within the SPA which is then used for authentication. But everyone can extract that token and use it outside of the SPA.

 

If your content is publicly available, you cannot ensure that only a specified http client can access it, unless you require the authentication of the user.

Avatar

Level 9

How about using apache sling referrer filter in AEM. AEM will reject the request if we are not allowing the front end application in "Allow Host"

 

Is this not sufficient to control frontend application ? Do we really oauth kind of authentication?

Avatar

Employee Advisor

That does not help, because it can easily be spoofed. I just record a request in the browser and then send the same request (including all parameters) using curl. In this case it's not possible to distinguish curl from the browser running your FE application.

 

If your backend requires authentication it can only detect which user is accessing it. It can never reliably detect if it's a smartphone, a desktop browser or a simple http client like curl. But in the majority of the cases this does not matter at all.