Is it possible for UI to talk send authorization to an external service?

This is an odd case:
We have an API outside cumulocity in a private kubernetes cluster, and we want to add a UI to it, so to avoid all the overhead of creating a whole app, we thinking in deploying a new section in one of our c8y UI applications.

While doing a PoC we notice, that even though the c8y UI can make http requests to external services outside of c8y, the authorization cookie is not present in the requests.

I was able to find the configuration for allowed domains, in the Administration App/Settings/application/Access control, but after testing adding localhost, I was not able to see any cookies or auth headers.

I also tested from the frontend using the FetchService from the c8y library and without it.

So I guess my question is if this is possible at all? is there way for a c8y UI APP to send authorization to a backend that is not hosted in c8y.

We want to avoid the proxy pattern (of deploying a microservice that proxies our external service).

Hi @fernando.asulay,

The OAI-Secure or SSO login modes (Basic settings - Cumulocity documentation) store the authorization token in a cookie with the HttpOnly flag (Set-Cookie header - HTTP | MDN) being set to true.

Because of the HttpOnly flag, the UI application is not able to access the authorization token (for good security practices). Therefore it is unable to send it to any external service.

You could potentially switch your login to Basic auth but I wouldn’t really recommend to do so as you would then be sending the user credentials in more or less cleartext (only base64 encoded)..

The better option would be to have a small proxy microservice that forwards these requests.

Regards,
Tristan

Thanks for the reply, we just needed to confirm that.