In modern applications, web application may need to request some other web applications on behalf of the authenticated users. There are three ways to do this:
The “Bad” method consists to give the token (cookie value) to webapp1 which uses it as cookie header in its request. Since 2.0 version, LL::NG gives a better way (the Good !) to do this by using limited scope tokens.
Tokens are time limited (30 seconds) and URL restricted (three max).
Insert a header filled with this value:
token( $_session_id, 'webapp2.example.com', 'webapp3.example.com' )
Webapp1 can read this header and use it in its requests by setting the X-Llng-Token
header. The token is built using the session ID and the authorized virtualhosts list. The token is only available during 30 seconds and for the specified virtualhosts.
Change handler type to “ServiceToken”. So it is able to manage both user and server connections. And that's all !