Security concern with passed credentials

[oiavorskyi]

First of all, I like your example a lot. It creates nice illusion for browser users that they always interact with one single application. However, doesn't it neglect one of the key benefits (IMO) of the OAuth - avoidance of the credentials sharing? In case when the AS is fully behind proxy and all the login requests are passing the actual credentials though the proxy, won't it be a security concern? Especially when personnel access to AS and proxy is managed in a different way (i.e. proxy is treated less seriously). In case of external AS such as Facebook it becomes even more dangerous.

Am I missing something or this is known limitation? If it is limitation then probably mentioning it in README would help a lot.

Thank you!

[kakawait]

Thank for feedback.

In case of external AS such as Facebook it becomes even more dangerous

I never thought about proxyfing external AS. Yeah can be an issue.

In fact the first goal of putting AS behind Zuul is to take advantage of load balancing and get most resilient AS (we can spawn multiple instances of AS load balanced by Zuul).

However, doesn't it neglect one of the key benefits (IMO) of the OAuth - avoidance of the credentials sharing?

I'm not a security expert. In first view I don't see any specific security breach because AS is standalone and manages security by itself.

But I can add warning in addition to is currently a POC!

[oiavorskyi]

Thank you!