0

What I am trying to do: Create protected Kitura endpoint and access it from iOS app, using App ID.

I managed to configure App ID on the Kitura server so that I can login and then access protected endpoint successfully.

I can login to the iOS demo app using same TenantId as Kitura server and get the tokens. That is, I can successfully login, but when I use raw auth token I can't access the protected endpoint on the server from the iOS app.

I have tried, using postman to set the header to:

Authorization = [sessionToken]

I have tried:

Authorization = Bearer [sessionToken]

I have tried this in the demo app after I get the tokens:

BMSClient.sharedInstance.initialize(bluemixRegion: AppID.REGION_UK)
BMSClient.sharedInstance.authorizationManager = AppIDAuthorizationManager(appid:AppID.sharedInstance)
var request:Request =  Request(url: "<your protected resource url>")
request.send(completionHandler: {(response:Response?, error:Error?) in
    //code handling the response here
})

hoping that maybe I set the token wrong in Postman and it will do the proper request.

But no matter what I do, every time I request the protected API from the iOS app, I get the login HTML in response.

What am I missing? Why can't I access private endpoint using iOS app session token?

Stanislav Goryachev
  • 81
  • 6

1 Answers1

0

Unfortunately, the current version of Server Swift SDK for the IBM Cloud App ID service does not support API Strategy. That means that you can't protect individual REST APIs. You can protect Web applications only.

vitalym
  • 61
  • 1
  • Allright, if I understand it correctly I don't really need App ID on Kitura server in this case (since I don't have web app), I just need to login on the iPhone using App ID SDK, pass the token with requests to Kitura backend and there roll my own middleware to validate the JWT token on request? – Stanislav Goryachev Jan 09 '18 at 15:53
  • Yes, you can do that. It's recommended to use a cryptography library to validate the tokens, but if you can't find one for Kitura, it's possible to use the introspection endpoint (https://appid-oauth.ng.bluemix.net/swagger-ui/#!/Authorization_Server_V3/introspect). The valid tokens should be stored in the cache to reduce the load on the authorization server. A simple example (not using cache) can be found here: https://github.com/mnsn/appid-python-flask-example/tree/master/Validation%20with%20token%20introspection%20endpoint – vitalym Jan 10 '18 at 17:46
  • Thank you for for the explanation and examples! – Stanislav Goryachev Jan 11 '18 at 13:51