Cross (sub)domain cookie support when fetching remoteEntry #1043
Description
For which library do you have a feature request?
native-federation
Information
Hi,
tl;dr: can an option be included to include credentials when fetching the remoteEntry and chunks?
\libs\native-federation-runtime\src\lib\init-federation.ts:
async function loadFederationInfo(
remoteEntryUrl: string,
): Promise<FederationInfo> {
const info = (await fetch(remoteEntryUrl /*, option to include credentials: {credentials: 'include'} */).then((r) =>
r.json(),
)) as FederationInfo;
return info;
}Context:
We're currently implementing native federation so that we can share modules between different applications owned by domain teams.
Our application URLs are like:
- app1.domain.com
- app2.domain.com
- ...
Our APM (access policy manager) setup uses session cookies to achieve SSO, with the cookie domain set to .domain.com (Secure, HttpOnly, SameSite=none) and CORS headers are injected.
when app1 tries to retrieve the remoteEntry.js from app2, the credentials are not included, causing the APM to challenge the authentication, which can't be handled by the fetch.
Describe any alternatives/workarounds you're currently using
Workarounds:
- Use an internal router so that calls from app1 to app2 are routed through app1.domain.com/app2/remoteEntry.json
downside of this approach is that we need to configure our microservice urls in multiple places
- Make the remoteEntry and chunks public
downside of this approach: might accidently leak information to unauthenticated users
I would be willing to submit a PR to fix this issue
- Yes
- No