Skip to content

Onegini Security Proxy

An introduction

The Security Proxy is essentially a reverse proxy. Within the Onegini Mobile Platform it serves as the gateway for all the traffic between the enterprise and mobile device. It serves both requests that need to be handled by the Token Server, and data requests (aka resource requests) that bring the enterprise data safely to the mobile device.

The picture below shows the position of the Security Proxy within the Onegini Mobile Platform.

Onegini MSP architecture

The Security Proxy is a secure bridge between the enterprise and mobile application. It adds an extra layer of encryption within the application layer of the TCP/IP protocol. This is what Onegini calls payload encryption. Payload encryption is an extra security measure on top of the SSL/TLS security layer, which is handled in the transport layer of the TCP/IP protocol. Hence, SSL/TLS and payload encryption can be used in conjunction with each other to further protect the mobile device from leaking information.

The picture below shows a high level overview of the message flow for payload encryption.

1
2
3
4
5
  +-----+                             +----------------+                               +------------------+
  | SDK | ---- encrypted request ---> | Security Proxy |  ---- plaintext request --->  |   Token Server   |
  |     |                             |                |                               |        or        |
  |     | <--- encrypted response --- |                |  <--- plaintext response ---  | Resource Gateway |
  +-----+                             +----------------+                               +------------------+

The Security Proxy can also act as a basic Resource Gateway. It can validate access tokens and map the outcome of this validation to the proxied resource request. This mapping can be customized to the needs of the APIs that are protected by the Resource Gateway functionality within the Security Proxy.

The picture below shows a high level schematic overview of the message flow with the embedded resource gateway.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
  +-----+                         +----------------+                                   +------------------+
  | SDK | ---- resource call ---> | Security Proxy |  ---- validate access token ----> |   Token Server   |
  |     |                         |                |  <--- token validation result --- |                  |
  |     |                         |                |                                   +------------------+
  |     |                         |                |                                   +------------------+
  |     |                         |                |  --- token validation result ---> |     (Custom)     |
  |     |                         |                |  <--- mapped request details ---- |  Request Mapper  |
  |     |                         |                |                                   +------------------+
  |     |                         |                |                                   +------------------+
  |     |                         |                |  --- enriched resource call ----> | Resource Server  |
  |     | <-- secured resource -- |                |  <------ secured resource ------- |                  |            
  +-----+                         +----------------+                                   +------------------+

The Onegini Security Proxy is a normal reverse proxy and should be configured accordingly. The Onegini Security Proxy is an additional product next to the Onegini Token Server. Therefore it needs a running Token Server to function properly.