On Wed, Feb 4, 2015 at 5:15 AM, Prabath Siriwardena <prab...@wso2.com> wrote:
> If you say Basic Auth is easy - then there is no difference in using OAuth > too....:-) > > Basically the resource owner credentials grant type was introduced in > OAuth to migrate clients from Basic/Digest authentication into OAuth... > > By looking at the use case - its clearly something to do with the access > delegation. One server needs to access a resource (API) on behalf another > user.. it clearly something to do with OAuth. > Yes, that's true :) .. guess the simple username/password scenario also can be covered with OAuth, if the requirement comes. Cheers, Anjana. > > Thanks & regards, > -Prabath > > > On Tue, Feb 3, 2015 at 3:21 AM, Anjana Fernando <anj...@wso2.com> wrote: > >> Yes, I guess, we should anyway give the ability for users to use the API >> with something simple like basic auth (if it makes sense for a specific >> scenario), and then also support something like OAuth for other scenarios, >> like here, we are talking about, internally using it from our dashboards >> etc.. for accessing the backend APIs. >> >> Cheers, >> Anjana. >> >> On Tue, Feb 3, 2015 at 4:44 PM, Isabelle Mauny <isabe...@wso2.com> wrote: >> >>> All, >>> >>> Who is going to use those REST APIs ? And from where ? While I agree >>> with all the discussion about making the APIs secure, it's kind of >>> pointless without a usage context. >>> Generating/managing an OAuth token is not easy from the client side, if >>> the REST APIs are used from a script for example, OAuth might not be >>> optimal. Would the APIs be exposed externally for any reason ( to the >>> general public ? ) - We had that problem with G-Reg before, with users >>> incapable to integrate with G.REG due to the requirement of an OAuth token. >>> Shouldn't we leave people a choice ? >>> >>> Isabelle. >>> __________________________________________________ >>> >>> >>> *Isabelle Mauny*VP, Product Management; WSO2, Inc.; http://wso2.com/ >>> >>> On Feb 3, 2015, at 11:53 AM, Manuranga Perera <m...@wso2.com> wrote: >>> >>> Hi Johann, >>> so if a user is logged is using SAML, is there a way we call a OAuth2 >>> API form the front end js (via REST) directly without going through a proxy? >>> >>> On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby <joh...@wso2.com> >>> wrote: >>> >>>> The discussion is about how to secure APIs, and OAuth2 is the popular >>>> choice here. >>>> >>>> How to do SSO to the web front end is a separate question and OpenID >>>> Connect can be one possibility. Like others have mentioned in this thread >>>> above, there can be other ways to login to the web front end, e.g. SAML2 >>>> SSO, username/password, etc. Depending on the login mechanism there are >>>> other grant types you may be able to use to secure APIs using OAuth2 such >>>> as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc. >>>> >>>> OpenID Connect might be the ideal choice, but right now the limitation >>>> we have with OpenID Connect is that we don't support the session management >>>> protocol which is required for single logout. >>>> >>>> On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera <m...@wso2.com> wrote: >>>> >>>>> Hi Johann, >>>>> >>>>> As I understand (form Dulanja) we need OpenID Connect [1] to fully >>>>> integrate with web front-end. so we can keep the token in fount end (in >>>>> JS) >>>>> and do the call using REST. isn't that the way to go? >>>>> >>>>> [1] http://openid.net/connect/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Johann Dilantha Nallathamby* >>>> Associate Technical Lead & Product Lead of WSO2 Identity Server >>>> Integration Technologies Team >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+94777776950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com/>* >>>> >>> >>> >>> >>> -- >>> With regards, >>> *Manu*ranga Perera. >>> >>> phone : 071 7 70 20 50 >>> mail : m...@wso2.com >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Anjana Fernando* >> Senior Technical Lead >> WSO2 Inc. | http://wso2.com >> lean . enterprise . middleware >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Anjana Fernando* Senior Technical Lead WSO2 Inc. | http://wso2.com lean . enterprise . middleware
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
