0

Looking for a solution to use the Here Maps javascript map app key (https://developer.here.com/documentation/maps/3.1.20.0/api_reference/H.service.Platform.html) safely while having multiple subdomains.

currently we initialise the map as following:

this.platform = new H.service.Platform({
    apikey: 'XXXX',
    useCIT: true,
    useHTTPS: true
});

The Here maps Javascript service asks for an api key to authenticate, and grands a GET when the api key is correct.

One of their safety methods is whitelisting, however we allow our users to create a subdomain like xxx.example.com, while accessing the same webapp.

One of HereMaps security options is the following:

  • with the option Create a trusted domain for your app credentials (Insert values without protocol)

This option does not seem to work because it doesn't allow * (*.example.com). I disabled this option to be able to use the here maps service however I would rather add some security and not directly expose our APP ID..

I couldn't find a mention of oauth2 support for the here maps javascript service. So my questions:

  • Does here maps support oauth2 authentication for their javascript map service?
  • Are there other options than using a * for whitelisting subdomains?
  • Is there a way that we can proxy our subdomains into our main domain. I thought about an Iframe but this seems cumbersome because we interact with the map?
  • Perhaps an better approach?

Thanks in advance

Tomas
  • 1,849
  • 1
  • 13
  • 13
Brian Velda
  • 1
  • 2
  • I'd suggest you add some more background to your question. I have no idea what you are talking about and I guess I'm not the only one. What's the "Here Maps javascript' you are referencing. Where's the documentation, especially for the option you mention? What did you try? What exact problems did you experience? – wedi Nov 29 '20 at 18:48
  • 1
    Hi @wedi I tried to clearify the question – Brian Velda Nov 30 '20 at 10:31
  • What happens if you specify just `example.com`? – Tomas Dec 01 '20 at 10:12
  • @Tomas, if the request is from example.com (or www.example.com), then the GET will be accepted. However the GET requests gets blocked (Authorisation error) when you request from xxx.example.com – Brian Velda Dec 01 '20 at 14:40
  • Hi @BrianVelda, the subdomain using wild card character(*) is not allowed in HERE whitelisting Security. You'll need to specify FQDN. – Younjae Park Dec 04 '20 at 07:44
  • @YounjaePark, but what if FQDN is not possible? Are there alternatives, for example woud an Iframe work? – Brian Velda Dec 08 '20 at 15:15

1 Answers1

0

I think the token road is the best option for you. Im not personally using this service but I found this https://developer.here.com/documentation/identity-access-management/dev_guide/topics/sdk.html#step-2-create-a-signature

I may be wrong but I understand that it goes like this:

  1. User requests token ( for using API from client side ) from your backend.
  2. You are creating signature & signing key at your backend and then you sending request for creating token
  3. then you can return this token to client side for the user.

Questions:

What stops me from creating a token at your site and then and using it elsewhere ?

When you whitelist the domain you are going to use requests from, if you are not doing it from server, but from client side, how the server is able to say that it comes from particular domain ?

For me it seems like all requests before going to HERE service should go through your API backend that would determine if request comes from provided "Frontend".

sonic
  • 1,282
  • 1
  • 9
  • 22
  • Thank you for your suggestion, I agree with your suggestion, however the documentation of the here maps javascript does not mention the support of this authentication. I did find something about a header option here: https://developer.here.com/documentation/maps/3.1.20.0/api_reference/H.service.Platform.html#.Options. But I couldn't only find a mention H.service.Platform is where you initialise the map and is expecting some form of validation (in our case we give the api key). – Brian Velda Nov 30 '20 at 10:15
  • I think their javascript needs this apikey (described as mandatory). It seems like there is no options for token because this must be connected to your backend. I think you could create token in your backend before initializing javascript and then initialise map by attaching headers. I don't know what are options on the inside of their service but if you could set that you always require token then exposing apikey doesnt seem like the issue. In anyway I would of course contact them for some tips if you paying them. I would also ask about the first question I wrote in my Answer. – sonic Nov 30 '20 at 11:24
  • please write when you will manage to figure it out. Im curious about this whole authentication issues – sonic Nov 30 '20 at 11:26