This is to discuss about the REST implementation for shibboleth authentication.
We have a first implementation available [here|https://github.com/4Science/DSpace/tree/dspace-7-shibboleth.]
To allow Angular UI to authenticate through shibboleth there is a need to find a way to pass to the client the JWT token after authentication succeed on REST side.
To resolve this issue we though to create a new Shibboleth Controller, on REST side, that redirects to the client after shibboelth authentication setting an "auth" cookie (that simply contains JWT token). At this point the client get back the cookie to the server that check the JWT token so now the client is authenticated.
To allow this mechanism works fine even if angular client and REST server are on separate hosts (our dspace 7 demo is a perfect example ) we need :
- Angular client use [withCredentials = true|https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials] in XHR request.
- Server must have the following CORS headers set :
- Access-Control-Allow-Origin: http://client.com
- Access-Control-Allow-Credentials: true
Note that we cannot get away with using a wildcard for Access-Control-Allow-Origin when we are sending credentials. Also note that the origin has to be an exact match, including scheme (http or https). This is the limitation of this implementation, because without using wildcard we limit the access to only the specified origin. So we have a CORS problem when we use official REST server with a local Angular installation for example.
To avoid this limitation an implementation should be to handle the Access-Control-Allow-Origin header on REST side. In practice, server should read the Origin header of the request, check it against a possible white list, and if it allowed, copy the Origin header value from the request to the Access-Control-Allow-Origin header in the response.
So I would ask if this should be a reasonable implementation, or if someone can suggest a different way