Expand my Community achievements bar.

OAuth2.0 Authorization implementation in AEM project


Level 7

Hello Team,


If any one has implemented OAuth2.0 Authorization in AEM application, can I get some insights?

I was reading this article: https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

Got many details from this article. Still I have few queries.


1: Saving access token and refresh token in server side, rather than browser cookies. How to achieve this? where to save this details in server??  Since, access token, refresh token is not user specific, its application specific. So, there is no point in saving in browser cookies. Is this related to Session Cookie? https://cookie-script.com/blog/session-cookies#:~:text=and%20Session%20Cookies-,Working%20principle,....


cc @Imran__Khan you have coined server side cookie in some other article. If you dont mind, is it possible for you to elaborate ?



4 Replies


Level 7

Hi @Imran__Khan 


So, HttpSession is the solution?  As per googling,

The key difference between sessions and cookies is that sessions are saved on the server side while cookies are saved on the client side.

So, if I used HttpSession, then the value is saved in server side? Same values(access token, refresh token is used for multiple users request?

I mean, every users will not have separate access token, refresh token in above case. In my case, I am trying to access Adobe Analytics report from AEM application. For every user, this access token, refresh token remains the same. So, HttpSession is the right solution?

Heard about the jargon user for : Server side cookie.

So, bit confused about the right approach here. Sorry, if I am asking very dumb query.

cc @VeenaVikraman  @BrianKasingli  @kautuk_sahni 


Level 10

I might be wrong for cookie.. I was mentioning you can create cookie using Java code also in backend.

So, if I used HttpSession, then the value is saved in server side? Same values(access token, refresh token is used for multiple users request? -> It is nowhere mention as you have been looking for this use case to have common access and refresh token. I always used OAuth2.0 to authenticate user for login or to fetch user, product and other data using access token.


Now, let's come to your question to have common location for access and refresh token:

1. Please encrypt access and refresh tokens using multiple available algorithms.
2. Send it to FE or you can also create a cookie form backend to store it
3. Decrypt the cookie every time you get the request from FE

4. Make call to access the third party system.

5. if access token expires, make a call to get access token using refresh token

6. repeat step number 4

7. return data to FE

Note: To have common for all users we dont require cookie in place of this we can store it somewhere in AEM and maintain it using sticky session for multiple instances.

I hope it helped !!!


Level 7

Hi @Imran__Khan 


Sorry for the confusion that I have created, and Kudos to your patience and dedicated effort to answer my query

Let me summarize my Query:

I have AEM website for anonymous user.( So, no registration, login, logout drama)

Now, I wanted to display Adobe Analytics report data in my AEM website homepage.

Each environment (lower + production) has separate client id, client secret.

Need to generate access token, refresh token for each site( this is irrespective of number of users visiting the site). Also, token expires after 24 hours.

Now, Solution 1:  Is it right to save the access token, refresh token  in user browser? (consider I have encrypted the tokens while saving in the browser cookie). In this case, each user's request will create separate access token, refresh token. Correct me if I am wrong.

Solution 2: Need to save the access token, refresh token in server side (This is common for all the users). if yes, how can I try this solution?


cc @VeenaVikraman  @BrianKasingli  @kautuk_sahni