How to make ajax CORS requests to shibboleth protected rest api?

Nicholas Roy nsr11 at
Thu May 28 16:28:05 EDT 2015

All you need is up to you,  you should not need to send the password, that
would be a Bad Thing in the Ghostbusters sense of the word.  You should, at
a minimum, need whatever the REST API needs to enforce RBAC.  So, if you
need the username for that, you'll need to send that.  I can't imagine you
need to send much more than that.  Again, as Jim said, REST API trusts your
web site completely, so your web site should just send it the username as
part of the request for a session "cookie" token.  Your REST API security
model then uses whatever RBAC/etc. it's using based on the identity mapped
to the session.


On Thu, May 28, 2015 at 4:07 PM Luke Palnau <lpalnau at> wrote:

> Ah, that sounds familiar, what user info would be given to the rest-api's
> token endpoint? Username? Anything else?
> The OAUTH2 examples I've seen send username, password, and grant type to a
> token endpoint. But since siteA uses shib I don't have a password. Unless
> I'm misunderstanding this.
> -Luke
> 734.604.2271
>  --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list