Zero Trust Application communication
Hi all, I have a question regarding the Applications talking to each other.
I have two applications, with the same access policies. This means, when a user successfully authenticates on either application, they can access the other as well. Since a global cookie gets stored in the team domain, this seems to work perfectly. However:
The applications are set-up as follows:
(app1) path: example.com/manage/* (=frontend)
(app2) path: example.com/api/* (=backend)
When the user successfully authenticates on app1, they can succesfully access app2 manually.
Successfully authenticating on the front-end (
app1
) essentially means the user can access the api (app2
) without any issue. However, my frontend is dynamic, so when a delete button or such is pressed, it will send out a request to the api. Whenever this happens, the api responds with its login page, as to make the user reauthenticate, even though the user is authenticated already. When opening the same link to the api in a tab manually, no reauthentication is necessary, and the request gets fulfilled.
My first thought was that this was an issue regarding cookies, but I can't seem to solve the issue. Given the two applications are on the same domain, I don't see how the cookies wouldn't be "shared".
Any ideas would be greatly appreciated
Thanks in advance!5 Replies
cookies are shared only within one application, so youd have to do something like example.com/* for both apps
multi domain and/or path apps were announced a while back, though i havent seen them in the ui or api yet
Ah I see, so just combine them under the * and then make different applications to bypass the authentication?
Yeah I've really been looking forward to the multi-hostname feature π
Welp I guess I'll make even more applications then π Thanks!
For now thatβs probably the best solution
FYI for future readers:
Using
/*
as path will result in stylesheets and such breaking, which is not very convenient, you would have to make A LOT of applications to cover your entire site.
Currently I fixed it by renaming the /manage/
partition to /admin/
and then using /a*
as a path, which will include /admin/*
as well as /api/*
. Of course, each page or internal part starting with the letter a would be included as well, which you would then need to manually bypass with another application. I guess you could go as far as to rename protected parts to include a prefix "api", but of course that is aesthetically unpleasant...
I suppose this is the best way until multi-hostname support comes along πalternatively you could either use a separate api for admin actions, or even a separate domain