Under Review
Last Updated: 29 Apr 2021 10:59 by ADMIN
Sergey
Created on: 22 Apr 2021 16:32
Type: Feature Request
1
Fully support OAuth 2.0 Authorization Code with PKCE flow in Angular/Html5 tr-viewer

Dear Telerik,

We use Azure App Services to host the reporting engine API.

Azure App Services validate all incoming requests to ensure they come in with valid Bearer JWT tokens. Your suggested workaround of validating the tokens only on some requests in the application would require us to turn off built-in Azure validation, which elevates security risks.

Can you please ensure [authenticationToken] is added to ALL requests from the Angular tr-viewer to the API, not just some requests?

Please redesign the viewer to authenticate all its requests to the backend service. Including but not limited to the requests report viewer makes to download generated report documents as attachments by performing get document requests through window.open() or any other methods.

We appreciate your efforts to obfuscate such requests; however, these efforts need to be in addition and not instead of industry standard security practices.

Thank you very much,

Sergey Nosov
Sr. Integrator/Developer,
Calpine Energy Solutions

1 comment
ADMIN
Todor
Posted on: 29 Apr 2021 10:59

Hello Sergey,

We have already added an authentication token to all the requests we make with JavaScript. Note that the requests for the resources, including those for the exported documents are from an HTML code, for example, 'href="api/reports/resources/myDocumentId"'. That said, they are made by the browser rather than by our client/viewer. Technically, we are not aware of an approach to apply an authentication token to such requests made by the browser. We are open to suggestions how we may overcome the problem though.

Regards,
Todor
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.