Hi Ishara, Yes , As the offline discussion had with Uvindra, We could avoid exploiting the access token issued for the self-signup scenario by adding captcha + token revoke mechanism, So they can't reuse the same access token once it is used for self-signup, and to get new access token anonymous user has to pass the captcha challenge. But still, other product REST APIs are vulnerable to DOS attacks since once the user gets an access token by login through the UI, it can be used to make a DOS attack. So, in general, we would need to introduce throttling policy for product wide REST APIs.
Thanks ~KasunTe On Wed, Aug 1, 2018 at 11:06 AM Ishara Cooray <isha...@wso2.com> wrote: > So in this case there are two tokens. One for the sign up that is obtained > using client credentials that only has the scope for accessing the sign up > resource. The other is the one obtained from the password grant type that > is used else where. I don't see a need to immediately revoke the token used > for the sign up invocation(it can only be used for signing up), is there > any specific concern you have regarding this? > > I was thinking that If this signup token is stolen, one can onboard users > to the system and will lead to a potential attack. Isn't it? > Of cause, if we can have captcha validation we can mitigate this. > > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Wed, Aug 1, 2018 at 10:48 AM, Uvindra Dias Jayasinha <uvin...@wso2.com> > wrote: > >> >> >> On 1 August 2018 at 09:36, Ishara Cooray <isha...@wso2.com> wrote: >> >>> To obtain an access token using the client credentials grant we need to >>> store client id and client secrete. >>> How are we going to store it so that it cannot be stolen? >>> >> >> >> We need the client id and secret for the password grant type as well >> which are using for all other calls. We have addressed this security >> concern already by storing the client id and secret on the server side as >> discussed in the mail thread[1] >> >> [1] API Manager UI - Storing access token in Cookie >> >> >>> Also, I think it is better if we revoke the token as the user is signed >>> up. So each sign up will need to obtain a new access token. >>> >> >> So in this case there are two tokens. One for the sign up that is >> obtained using client credentials that only has the scope for accessing the >> sign up resource. The other is the one obtained from the password grant >> type that is used else where. I don't see a need to immediately revoke the >> token used for the sign up invocation(it can only be used for signing up), >> is there any specific concern you have regarding this? >> >>> >>> >>> >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Tue, Jul 31, 2018 at 3:21 PM, Vithursa Mahendrarajah < >>> vithu...@wso2.com> wrote: >>> >>>> + [architecture] >>>> >>>> On Tue, Jul 31, 2018 at 12:55 PM Kasun Thennakoon <kasu...@wso2.com> >>>> wrote: >>>> >>>>> Hi Rukshan, >>>>> >>>>> This is the current flow >>>>> >>>>> [image: image.png] >>>>> >>>>> So how we restricted this token, talk only to signup api? with scopes?? >>>>>> >>>>> Yes we get an access token for self signup scope only >>>>> >>>>> >>>>> Thanks >>>>> ~KasunTe >>>>> >>>>> >>>>> On Tue, Jul 31, 2018 at 11:21 AM Rukshan Premathunga <ruks...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 31, 2018 at 11:12 AM, Uvindra Dias Jayasinha < >>>>>> uvin...@wso2.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On 31 July 2018 at 10:57, Rukshan Premathunga <ruks...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jul 31, 2018 at 10:57 AM, Rukshan Premathunga < >>>>>>>> ruks...@wso2.com> wrote: >>>>>>>> >>>>>>>>> in sigin up case, if you take a token to talk to signup api, is it >>>>>>>>> also store in the browser? >>>>>>>>> >>>>>>>> * in signup case, if you take a token to talk to signup api, is it >>>>>>>> also store in the browser? >>>>>>>> >>>>>>> >>>>>>> In this case, Yes. Since there is no user involved yet(user has not >>>>>>> got registered yet), it is the store that is making this call on behalf >>>>>>> of >>>>>>> the user so that they can get registered. >>>>>>> >>>>>> So how we restricted this token, talk only to signup api? with >>>>>> scopes?? >>>>>> >>>>>>> >>>>>>>>> On Tue, Jul 31, 2018 at 10:26 AM, Fazlan Nazeem <fazl...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Yes, since the client secret will not be known to the end users >>>>>>>>>> there is no threat in adding client_credentials grant to the store >>>>>>>>>> app. >>>>>>>>>> >>>>>>>>>> On Tue, Jul 31, 2018 at 10:18 AM Uvindra Dias Jayasinha < >>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> +1 for option 1, adding the client credentials capability to the >>>>>>>>>>> store app makes sense to support this use case. >>>>>>>>>>> >>>>>>>>>>> On 31 July 2018 at 10:06, Kasun Thennakoon <kasu...@wso2.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> In my opinion >>>>>>>>>>>> >>>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to existing >>>>>>>>>>>>> application >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> option-1 would be more appropriate here, other than maintaining >>>>>>>>>>>> a separate OAuth app for the self sign-up feature. >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> ~KasunTe >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Jul 30, 2018 at 9:17 PM Vithursa Mahendrarajah < >>>>>>>>>>>> vithu...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> I encountered an issue while implementing feature to self-sign >>>>>>>>>>>>> up user via UI. Access token generation using >>>>>>>>>>>>> *client_credentials *grant type is needed to call REST API >>>>>>>>>>>>> resource of self-sign up. As per current implementation, we have >>>>>>>>>>>>> one DCR >>>>>>>>>>>>> Application for publisher and one for st*o*re which does not >>>>>>>>>>>>> support *client_credentials* grant type, hence token >>>>>>>>>>>>> generation fails. It can be resolved in two ways: >>>>>>>>>>>>> >>>>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to >>>>>>>>>>>>> existing application >>>>>>>>>>>>> *Option-2: *Creating new application which supports >>>>>>>>>>>>> *client_credentials* grant type >>>>>>>>>>>>> Which one would be the better solution for this. >>>>>>>>>>>>> >>>>>>>>>>>>> Comments or suggestions are highly appreciated. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Vithursa >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Jul 25, 2018 at 4:05 PM Uvindra Dias Jayasinha < >>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Its great if we can implement this in our light weight key >>>>>>>>>>>>>> manager so that we can support this on the UI >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 25 July 2018 at 15:48, Chanaka Jayasena <chan...@wso2.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have attached the paper mockups for the User register, >>>>>>>>>>>>>>> signin, and change password pages. But the Captcha is not >>>>>>>>>>>>>>> captured in the >>>>>>>>>>>>>>> mockups. +1 to add Captcha if that is supported. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> thanks, >>>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 3:44 PM Uvindra Dias Jayasinha < >>>>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> As far as Captcha goes, this[1] is what is already provided >>>>>>>>>>>>>>>> by IS to achieve this. But I don't think this functionality is >>>>>>>>>>>>>>>> available in >>>>>>>>>>>>>>>> our default light weight key manager currently >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [1] >>>>>>>>>>>>>>>> https://docs.wso2.com/display/IS560/User+Information+Recovery+Service >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 25 July 2018 at 15:37, Uvindra Dias Jayasinha < >>>>>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Can we add a Captcha to the user sign up page? This was >>>>>>>>>>>>>>>>> one of the basic features we were missing OOB and there were >>>>>>>>>>>>>>>>> quite a few >>>>>>>>>>>>>>>>> customers who ended doing custom themes to add that >>>>>>>>>>>>>>>>> functionality. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 25 July 2018 at 15:18, Vithursa Mahendrarajah < >>>>>>>>>>>>>>>>> vithu...@wso2.com> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> HI Isuru/Mushthaq, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks for the suggestions. Yes, +1 to add *Forgot >>>>>>>>>>>>>>>>>> password* option as well as *Sign-up* option in Sign-in >>>>>>>>>>>>>>>>>> page. Will add mentioned changes. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:09 PM Mushthaq Rumy < >>>>>>>>>>>>>>>>>> musht...@wso2.com> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> You may refer the APIM 2.2.0 or 2.5.0 version and get an >>>>>>>>>>>>>>>>>>> idea on how the password reset function works in the UI. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:06 PM Isuru Haththotuwa < >>>>>>>>>>>>>>>>>>> isu...@wso2.com> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I assume the anonymous user page is basically for users >>>>>>>>>>>>>>>>>>>> to signup to the system, and by that create users in the >>>>>>>>>>>>>>>>>>>> system. This page >>>>>>>>>>>>>>>>>>>> looks ok, we basically need a new view when the user >>>>>>>>>>>>>>>>>>>> clicks on the sign in >>>>>>>>>>>>>>>>>>>> page, which has a link to reset password and forget >>>>>>>>>>>>>>>>>>>> password options. Sign >>>>>>>>>>>>>>>>>>>> in should have a link to the sign up page as well. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 11:11 AM, Vithursa >>>>>>>>>>>>>>>>>>>> Mahendrarajah <vithu...@wso2.com> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I am working on $subject. Based on current >>>>>>>>>>>>>>>>>>>>> implementations, we do not have a way to create users via >>>>>>>>>>>>>>>>>>>>> UI. As an initial >>>>>>>>>>>>>>>>>>>>> step, I am implementing anonymous-user view page in API >>>>>>>>>>>>>>>>>>>>> Store. Mock UI >>>>>>>>>>>>>>>>>>>>> design can be found below: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> [image: anonymous_view(1).jpg] >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Comments or suggestions on are highly appreciated. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Isuru H. >>>>>>>>>>>>>>>>>>>> +94 716 358 048* <http://wso2.com/>* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>>>>>>>> Email : musht...@wso2.com >>>>>>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Chanaka Jayasena >>>>>>>>>>>>>>> Associate Tech Lead, >>>>>>>>>>>>>>> email: chan...@wso2.com; cell: +94 77 4464006 >>>>>>>>>>>>>>> blog: http://chanaka3d.blogspot.com >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Kasun Thennakoon* >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>> Mobile:+94 711661919 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Regards, >>>>>>>>>>> Uvindra >>>>>>>>>>> >>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thanks & Regards, >>>>>>>>>> >>>>>>>>>> *Fazlan Nazeem* >>>>>>>>>> Senior Software Engineer >>>>>>>>>> WSO2 Inc >>>>>>>>>> Mobile : +94772338839 >>>>>>>>>> fazl...@wso2.com >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Rukshan Chathuranga. >>>>>>>>> Software Engineer. >>>>>>>>> WSO2, Inc. >>>>>>>>> +94711822074 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Rukshan Chathuranga. >>>>>>>> Software Engineer. >>>>>>>> WSO2, Inc. >>>>>>>> +94711822074 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Uvindra >>>>>>> >>>>>>> Mobile: 777733962 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Rukshan Chathuranga. >>>>>> Software Engineer. >>>>>> WSO2, Inc. >>>>>> +94711822074 >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Kasun Thennakoon* >>>>> Software Engineer >>>>> WSO2, Inc. >>>>> Mobile:+94 711661919 >>>>> >>>> >>>> >>>> -- >>>> Vithursa Mahendrarajah >>>> Software Engineer >>>> WSO2 Inc. - http ://wso2.com >>>> Mobile : +947*66695643* >>>> >>>> >>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>> <http://wso2.com/signature>* >>>> >>> >>> >> >> >> -- >> Regards, >> Uvindra >> >> Mobile: 777733962 >> > > -- *Kasun Thennakoon* Software Engineer WSO2, Inc. Mobile:+94 711661919 <javascript:void(0);>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
