HereMaps - Looking for options to be able to use subdomains with the map (javascript) without exposing the APP id

Question

Looking for a solution to use the Here Maps javascript map app key (https://developer.here.com/documentation/maps/3.1.20.0/api_reference/H.service.Platform.html) safely while having multiple subdomains.

currently we initialise the map as following:

this.platform = new H.service.Platform({
    apikey: 'XXXX',
    useCIT: true,
    useHTTPS: true
});

The Here maps Javascript service asks for an api key to authenticate, and grands a GET when the api key is correct.

One of their safety methods is whitelisting, however we allow our users to create a subdomain like xxx.example.com, while accessing the same webapp.

One of HereMaps security options is the following:

• with the option Create a trusted domain for your app credentials (Insert values without protocol)

This option does not seem to work because it doesn't allow * (*.example.com). I disabled this option to be able to use the here maps service however I would rather add some security and not directly expose our APP ID..

I couldn't find a mention of oauth2 support for the here maps javascript service. So my questions:

• Does here maps support oauth2 authentication for their javascript map service?
• Are there other options than using a * for whitelisting subdomains?
• Is there a way that we can proxy our subdomains into our main domain. I thought about an Iframe but this seems cumbersome because we interact with the map?
• Perhaps an better approach?

Thanks in advance

Answer 1

I think the token road is the best option for you. Im not personally using this service but I found this https://developer.here.com/documentation/identity-access-management/dev_guide/topics/sdk.html#step-2-create-a-signature

I may be wrong but I understand that it goes like this:

1. User requests token ( for using API from client side ) from your backend.
2. You are creating signature & signing key at your backend and then you sending request for creating token
3. then you can return this token to client side for the user.

Questions:

What stops me from creating a token at your site and then and using it elsewhere ?

When you whitelist the domain you are going to use requests from, if you are not doing it from server, but from client side, how the server is able to say that it comes from particular domain ?

For me it seems like all requests before going to HERE service should go through your API backend that would determine if request comes from provided "Frontend".