Hi All, In Oauth /token endpoint and /revoke endpoint
https://localhost:9443/oauth2/token https://localhost:9443/oauth2/revoke required authorization with client key, client secret in basic auth headers. Currently in implementation we validate those headers after serving request to JAX-RS endpoints. Basically /token, /revoke endpoints are unsecured. There is significant amount of processing happen even for wrong client secret. Since we have REST API interceptor layer In IS 5.3.0 can we use it to validate client credentials ? We may need to plug an additional authenticator to validate client key, client secret in basic auth headers. This authenticator may conflict with basic authenticator because both authenticators validate basic auth credentials different way. There are two approaches to avoid the conflict. *#option 01 * Increase the priority of newly added authenticator and check the context inside authenticator canHandle. *#option 01 * Increase the priority of newly added authenticator and check existence of oauth application from client key. WDYT? -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture