+1 for OAuth and IMO in future we should move all authorization in admin services to OAuth throughout the Carbon. It will be definitely possible when we are moving from SOAP to REST with Carbon 5.
On Wed, Jan 28, 2015 at 6:03 PM, Prabath Siriwardena <prab...@wso2.com> wrote: > +1 for using OAuth.. > > Please also think of the cost of maintaining and provisioning keys between > servers in a clustered setup and the requirement of have an OAuth > authorization server. > > Please see the approach suggested here [1] self-issued & self-contained > access tokens. This approach reduces all most all the overhead. > > [1]: http://blog.facilelogin.com/2014/10/self-issued-access-tokens.html > > Thanks & regards, > -Prabath > > > > On Wed, Jan 28, 2015 at 1:16 AM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> >> >> On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando <anj...@wso2.com> wrote: >> >>> Hi, >>> >>> I guess our admin services are also accessible via basic auth, isn't it? >>> .. We just thought, as a convenience method for the end user, they can use >>> their username/password to access our API if required. So basically, if >>> using OAuth, other than using SAML2 bearer token grant type or anything >>> similar, is it possible to use the login username/password to our dashboard >>> UI to generate the access token with resource owner credentials grant type >>> maybe? .. >>> >> >> This is also possible. But the access token has an finite expiry time. >> And it is not related to the browser session / not a moving window. So once >> it expires you must use the refresh token to get another access token. So >> this way user can login once and keep using APIs until they logout. Once >> they logout the access token can be revoked. >> >> Securing APIs with Basic Auth is also currently widely used. But it >> doesn't provide any advantage over OAuth2. So for future we should stick to >> OAuth2 only. >> >> For the validation of the OAuth2 token we should have a tomcat valve so >> that it can secure REST as well as SOAP services. I don't think we have >> written one all this time. Gihan if you are doing this can you sync up with >> IS team and lets finalize. >> >> >> Thanks, >> Johann. >> >>> >>> Cheers, >>> Anjana. >>> >>> On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga <sup...@wso2.com> wrote: >>> >>>> Hi Gihan, >>>> >>>> IMO using basic auth will make it vulnerable for dos attacks and less >>>> secure. So you need to think this thru. >>>> >>>> There is a possibility of authenticating already logged in users via >>>> the cookie data. But we will need to write a new cookie based oauth grant >>>> type for this. AFAIK we don't have such a grant type yet (Correct me if I'm >>>> wrong). >>>> >>>> On your latest note I think you can use the SAML2 grant type [0]. >>>> >>>> [0] >>>> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype) >>>> >>>> thanks, >>>> >>>> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha <gi...@wso2.com> >>>> wrote: >>>> >>>>> No. We thought, it might convenient for the end user if we provide >>>>> basic auth capabilities. We will integrate OAuth functionalities for our >>>>> REST APIs. >>>>> >>>>> Regarding our requirement, We have multiple dashboards that validate >>>>> the user through single login page. How can we do the backend API >>>>> communication? >>>>> >>>>> Regards, >>>>> Gihan >>>>> >>>>> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe <sume...@wso2.com >>>>> > wrote: >>>>> >>>>>> Any particular reason for securing product APIs using Basic Auth? >>>>>> >>>>>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead. >>>>>> >>>>>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha <gi...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We are going to use a set of REST API [1] to communicate with the >>>>>>> data layer. Basically, we are securing these REST APIs with basic >>>>>>> auth. But we wanted to communicate with these REST APIs with already >>>>>>> logged >>>>>>> in user as well. Reason is we have a plan to use these REST API in our >>>>>>> Message console dashboard and we want to have SSO kind of a logging >>>>>>> solution for these dashboards without any individual login pages. >>>>>>> >>>>>>> So is it possible to use existing HTTP session cookie and >>>>>>> authenticate REST API calls or do we have to use OAuth with some >>>>>>> specific >>>>>>> grant types? >>>>>>> >>>>>>> Appreciate your inputs here? >>>>>>> >>>>>>> >>>>>>> >>>>>>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService / >>>>>>> Indexing / Search >>>>>>> -- >>>>>>> W.G. Gihan Anuruddha >>>>>>> Senior Software Engineer | WSO2, Inc. >>>>>>> M: +94772272595 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> /sumedha >>>>>> m: +94 773017743 >>>>>> b : bit.ly/sumedha >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> W.G. Gihan Anuruddha >>>>> Senior Software Engineer | WSO2, Inc. >>>>> M: +94772272595 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Supun Malinga, >>>> >>>> Senior Software Engineer, >>>> WSO2 Inc. >>>> http://wso2.com >>>> email: sup...@wso2.com <sup...@wso2.com> >>>> mobile: +94 (0)71 56 91 321 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> *Anjana Fernando* >>> Senior Technical Lead >>> WSO2 Inc. | http://wso2.com >>> lean . enterprise . middleware >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Associate Technical Lead & Product Lead of WSO2 Identity Server >> Integration Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
