Level 7

OAuth2.0 Authorization implementation in AEM project

Forum|Forum|2 years ago
February 13, 2024
1 reply
1702 views

Hello Team,

If any one has implemented OAuth2.0 Authorization in AEM application, can I get some insights?

I was reading this article: https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

Got many details from this article. Still I have few queries.

1: Saving access token and refresh token in server side, rather than browser cookies. How to achieve this? where to save this details in server?? Since, access token, refresh token is not user specific, its application specific. So, there is no point in saving in browser cookies. Is this related to Session Cookie? https://cookie-script.com/blog/session-cookies#:~:text=and%20Session%20Cookies-,Working%20principle,the%20client's%20and%20server's%20sides.

cc @imran__khan you have coined server side cookie in some other article. If you dont mind, is it possible for you to elaborate ?

-Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Imran Khan

Community Advisor

@mahesh_gunaje At the end of the day it core Java concepts or API we use for Session and Cookie management

https://www.baeldung.com/java-servlet-cookies-session

https://www.digitalocean.com/community/tutorials/java-session-management-servlet-httpsession-url-rewriting

https://sourcedcode.com/blog/aem/set-cookie-example-of-aem-servlet-and-sling-model

Another great blog for session management to keep everything as part of HttpSession
https://medium.com/@kasunpdh/session-management-in-java-using-servlet-filters-and-cookies-7c536b40448f#:~:text=Whenever%20a%20client%20sends%20a,servlet%20containers%20may%20behave%20differently)

M

Mahesh_GunajeAuthor

Level 7

Hi @imran__khan

So, HttpSession is the solution? As per googling,

The key difference between sessions and cookies is that sessions are saved on the server side while cookies are saved on the client side.

So, if I used HttpSession, then the value is saved in server side? Same values(access token, refresh token is used for multiple users request?

I mean, every users will not have separate access token, refresh token in above case. In my case, I am trying to access Adobe Analytics report from AEM application. For every user, this access token, refresh token remains the same. So, HttpSession is the right solution?

Heard about the jargon user for : Server side cookie.

So, bit confused about the right approach here. Sorry, if I am asking very dumb query.

cc @veenavikraman @briankasingli @kautuk_sahni

Imran Khan

Community Advisor

@mahesh_gunaje
I might be wrong for cookie.. I was mentioning you can create cookie using Java code also in backend.

So, if I used HttpSession, then the value is saved in server side? Same values(access token, refresh token is used for multiple users request? -> It is nowhere mention as you have been looking for this use case to have common access and refresh token. I always used OAuth2.0 to authenticate user for login or to fetch user, product and other data using access token.

Now, let's come to your question to have common location for access and refresh token:

1. Please encrypt access and refresh tokens using multiple available algorithms.
2. Send it to FE or you can also create a cookie form backend to store it
3. Decrypt the cookie every time you get the request from FE

4. Make call to access the third party system.

5. if access token expires, make a call to get access token using refresh token

6. repeat step number 4

7. return data to FE

Note: To have common for all users we dont require cookie in place of this we can store it somewhere in AEM and maintain it using sticky session for multiple instances.

I hope it helped !!!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded