+1 for using OAuth security for the APIs. Can't use guys use the API everywhere concept in this use-case? So that you can simply have the OAuth security for APIs.
Best Regards, Lakshitha Harshan Software Engineer Mobile: *+94724423048* Email: hars...@wso2.com Blog : http://harshanliyanage.blogspot.com/ *WSO2, Inc. :** wso2.com <http://wso2.com/>* lean.enterprise.middleware. On Sun, Feb 1, 2015 at 7:30 AM, Maninda Edirisooriya <mani...@wso2.com> wrote: > > +1 for OAuth and IMO in future we should move all authorization in admin > services to OAuth throughout the Carbon. It will be definitely possible > when we are moving from SOAP to REST with Carbon 5. > > On Wed, Jan 28, 2015 at 6:03 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> +1 for using OAuth.. >> >> Please also think of the cost of maintaining and provisioning keys >> between servers in a clustered setup and the requirement of have an OAuth >> authorization server. >> >> Please see the approach suggested here [1] self-issued & self-contained >> access tokens. This approach reduces all most all the overhead. >> >> [1]: http://blog.facilelogin.com/2014/10/self-issued-access-tokens.html >> >> Thanks & regards, >> -Prabath >> >> >> >> On Wed, Jan 28, 2015 at 1:16 AM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> >>> >>> On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando <anj...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> I guess our admin services are also accessible via basic auth, isn't >>>> it? .. We just thought, as a convenience method for the end user, they can >>>> use their username/password to access our API if required. So basically, if >>>> using OAuth, other than using SAML2 bearer token grant type or anything >>>> similar, is it possible to use the login username/password to our dashboard >>>> UI to generate the access token with resource owner credentials grant type >>>> maybe? .. >>>> >>> >>> This is also possible. But the access token has an finite expiry time. >>> And it is not related to the browser session / not a moving window. So once >>> it expires you must use the refresh token to get another access token. So >>> this way user can login once and keep using APIs until they logout. Once >>> they logout the access token can be revoked. >>> >>> Securing APIs with Basic Auth is also currently widely used. But it >>> doesn't provide any advantage over OAuth2. So for future we should stick to >>> OAuth2 only. >>> >>> For the validation of the OAuth2 token we should have a tomcat valve so >>> that it can secure REST as well as SOAP services. I don't think we have >>> written one all this time. Gihan if you are doing this can you sync up with >>> IS team and lets finalize. >>> >>> >>> Thanks, >>> Johann. >>> >>>> >>>> Cheers, >>>> Anjana. >>>> >>>> On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga <sup...@wso2.com> wrote: >>>> >>>>> Hi Gihan, >>>>> >>>>> IMO using basic auth will make it vulnerable for dos attacks and less >>>>> secure. So you need to think this thru. >>>>> >>>>> There is a possibility of authenticating already logged in users via >>>>> the cookie data. But we will need to write a new cookie based oauth grant >>>>> type for this. AFAIK we don't have such a grant type yet (Correct me if >>>>> I'm >>>>> wrong). >>>>> >>>>> On your latest note I think you can use the SAML2 grant type [0]. >>>>> >>>>> [0] >>>>> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype) >>>>> >>>>> thanks, >>>>> >>>>> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha <gi...@wso2.com> >>>>> wrote: >>>>> >>>>>> No. We thought, it might convenient for the end user if we provide >>>>>> basic auth capabilities. We will integrate OAuth functionalities for our >>>>>> REST APIs. >>>>>> >>>>>> Regarding our requirement, We have multiple dashboards that validate >>>>>> the user through single login page. How can we do the backend API >>>>>> communication? >>>>>> >>>>>> Regards, >>>>>> Gihan >>>>>> >>>>>> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe < >>>>>> sume...@wso2.com> wrote: >>>>>> >>>>>>> Any particular reason for securing product APIs using Basic Auth? >>>>>>> >>>>>>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead. >>>>>>> >>>>>>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha <gi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> We are going to use a set of REST API [1] to communicate with the >>>>>>>> data layer. Basically, we are securing these REST APIs with basic >>>>>>>> auth. But we wanted to communicate with these REST APIs with already >>>>>>>> logged >>>>>>>> in user as well. Reason is we have a plan to use these REST API in our >>>>>>>> Message console dashboard and we want to have SSO kind of a logging >>>>>>>> solution for these dashboards without any individual login pages. >>>>>>>> >>>>>>>> So is it possible to use existing HTTP session cookie and >>>>>>>> authenticate REST API calls or do we have to use OAuth with some >>>>>>>> specific >>>>>>>> grant types? >>>>>>>> >>>>>>>> Appreciate your inputs here? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService / >>>>>>>> Indexing / Search >>>>>>>> -- >>>>>>>> W.G. Gihan Anuruddha >>>>>>>> Senior Software Engineer | WSO2, Inc. >>>>>>>> M: +94772272595 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> /sumedha >>>>>>> m: +94 773017743 >>>>>>> b : bit.ly/sumedha >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> W.G. Gihan Anuruddha >>>>>> Senior Software Engineer | WSO2, Inc. >>>>>> M: +94772272595 >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Supun Malinga, >>>>> >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> http://wso2.com >>>>> email: sup...@wso2.com <sup...@wso2.com> >>>>> mobile: +94 (0)71 56 91 321 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Anjana Fernando* >>>> Senior Technical Lead >>>> WSO2 Inc. | http://wso2.com >>>> lean . enterprise . middleware >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Associate Technical Lead & Product Lead of WSO2 Identity Server >>> Integration Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture