This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-09-14
Channels
- # announcements (40)
- # aws (9)
- # babashka (21)
- # beginners (75)
- # calva (56)
- # chlorine-clover (1)
- # cider (12)
- # circleci (1)
- # clj-kondo (7)
- # cljsrn (13)
- # clojars (3)
- # clojure (171)
- # clojure-dev (11)
- # clojure-europe (64)
- # clojure-nl (11)
- # clojure-spec (6)
- # clojure-uk (9)
- # clojurescript (31)
- # conjure (1)
- # cursive (7)
- # datascript (7)
- # datomic (9)
- # emacs (4)
- # fulcro (65)
- # introduce-yourself (1)
- # jobs-discuss (7)
- # kaocha (7)
- # lsp (39)
- # missionary (5)
- # off-topic (54)
- # pathom (10)
- # re-frame (6)
- # shadow-cljs (110)
- # tools-deps (41)
oh I only iust realised that it should be possible to get an AWS JWT authorizer to read cookes (rather than just an HTTP Header)
I mean Cookies
IS an http header, so it becomes more about how to extract the JWT substring
the syntax of the identity Source is not obvious; if I guessed at something like
$request.cookies.idtoken
is that likely, do you think?https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html
maybe I have to linearly search the cookies
meh > For `JWT`, a single entry that specifies where to extract the JSON Web Token (JWT) from inbound requests. Currently only header-based and query parameter-based selections are supported, for example `$request.header.Authorization`.
no cookies
so
I have a server generated /logged-in
that has an ID token JWT
I have a clent react app that will need to make API calls presenting the JWT in a header or query
the /logged-in
makes an HTTP/302 to redirect to the client url
I would rather not use query params if I can avoid it
but how can I get the idtoken to the react app?
Seems like cookie is my best option?
maybe I can put it in an HTTP response header
seems like
1. server drops a session cookie, redirects to react app /loggedin
route
2. react /loggedin
makes a fetchApi request to server /credentials
endpoint
3. server responds with JWT string and other client-useful info in a JSON map body; it also deletes the session cookie
4. client stashes the JWT string in its (volatile) global state and presents in HTTP header going forwards
seems a bit round the houses though; is there really no way to shortcut this?
I guess there might be better security in taking each step one at a time..?
the syntax of the identity Source is not obvious; if I guessed at something like
$request.cookies.idtoken
is that likely, do you think?