You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stormpath's SDKs use a very secure digest-based authentication mechanism to authenticate every request. Stormpath's API servers calculate the same digest to guarantee that no-one - internal infrastructure, attacker or otherwise, even before or after TLS (SSL) termination - is able to tamper with requests. This technique prevents Man In The Middle attacks.
Because GAE manipulates requests after digest calculation, the Stormpath API servers then detect a potential Man-In-The-Middle interference and rejects the requests (as expected / desired).
In any event, we love our customers and want them to be happy, regardless of Google's impropriety. This issue then represents two pieces of work:
Implement a new GAE-compatible authentication scheme based off of the current digest scheme that makes concessions necessary for GAE's runtime model.
Google believes it is acceptable to tamper with App Engine applications' HTTP requests: they manipulate HTTP request headers or strip some completely.
Stormpath's SDKs use a very secure digest-based authentication mechanism to authenticate every request. Stormpath's API servers calculate the same digest to guarantee that no-one - internal infrastructure, attacker or otherwise, even before or after TLS (SSL) termination - is able to tamper with requests. This technique prevents Man In The Middle attacks.
Because GAE manipulates requests after digest calculation, the Stormpath API servers then detect a potential Man-In-The-Middle interference and rejects the requests (as expected / desired).
In any event, we love our customers and want them to be happy, regardless of Google's impropriety. This issue then represents two pieces of work: