+1, we need to have default throttling policies for all our REST APIs On 1 August 2018 at 11:17, Kasun Thennakoon <kasu...@wso2.com> wrote:
> Hi Ishara, > > Yes , As the offline discussion had with Uvindra, We could avoid > exploiting the access token issued for the self-signup scenario by adding > captcha + token revoke mechanism, So they can't reuse the same access token > once it is used for self-signup, and to get new access token anonymous user > has to pass the captcha challenge. But still, other product REST APIs are > vulnerable to DOS attacks since once the user gets an access token by login > through the UI, it can be used to make a DOS attack. So, in general, we > would need to introduce throttling policy for product wide REST APIs. > > Thanks > ~KasunTe > > On Wed, Aug 1, 2018 at 11:06 AM Ishara Cooray <isha...@wso2.com> wrote: > >> So in this case there are two tokens. One for the sign up that is >> obtained using client credentials that only has the scope for accessing the >> sign up resource. The other is the one obtained from the password grant >> type that is used else where. I don't see a need to immediately revoke the >> token used for the sign up invocation(it can only be used for signing up), >> is there any specific concern you have regarding this? >> >> I was thinking that If this signup token is stolen, one can onboard users >> to the system and will lead to a potential attack. Isn't it? >> Of cause, if we can have captcha validation we can mitigate this. >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> On Wed, Aug 1, 2018 at 10:48 AM, Uvindra Dias Jayasinha <uvin...@wso2.com >> > wrote: >> >>> >>> >>> On 1 August 2018 at 09:36, Ishara Cooray <isha...@wso2.com> wrote: >>> >>>> To obtain an access token using the client credentials grant we need to >>>> store client id and client secrete. >>>> How are we going to store it so that it cannot be stolen? >>>> >>> >>> >>> We need the client id and secret for the password grant type as well >>> which are using for all other calls. We have addressed this security >>> concern already by storing the client id and secret on the server side as >>> discussed in the mail thread[1] >>> >>> [1] API Manager UI - Storing access token in Cookie >>> >>> >>>> Also, I think it is better if we revoke the token as the user is signed >>>> up. So each sign up will need to obtain a new access token. >>>> >>> >>> So in this case there are two tokens. One for the sign up that is >>> obtained using client credentials that only has the scope for accessing the >>> sign up resource. The other is the one obtained from the password grant >>> type that is used else where. I don't see a need to immediately revoke the >>> token used for the sign up invocation(it can only be used for signing up), >>> is there any specific concern you have regarding this? >>> >>>> >>>> >>>> >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Engineer >>>> Mobile : +9477 262 9512 >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> On Tue, Jul 31, 2018 at 3:21 PM, Vithursa Mahendrarajah < >>>> vithu...@wso2.com> wrote: >>>> >>>>> + [architecture] >>>>> >>>>> On Tue, Jul 31, 2018 at 12:55 PM Kasun Thennakoon <kasu...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Rukshan, >>>>>> >>>>>> This is the current flow >>>>>> >>>>>> [image: image.png] >>>>>> >>>>>> So how we restricted this token, talk only to signup api? with >>>>>>> scopes?? >>>>>>> >>>>>> Yes we get an access token for self signup scope only >>>>>> >>>>>> >>>>>> Thanks >>>>>> ~KasunTe >>>>>> >>>>>> >>>>>> On Tue, Jul 31, 2018 at 11:21 AM Rukshan Premathunga < >>>>>> ruks...@wso2.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 31, 2018 at 11:12 AM, Uvindra Dias Jayasinha < >>>>>>> uvin...@wso2.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 31 July 2018 at 10:57, Rukshan Premathunga <ruks...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Jul 31, 2018 at 10:57 AM, Rukshan Premathunga < >>>>>>>>> ruks...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> in sigin up case, if you take a token to talk to signup api, is >>>>>>>>>> it also store in the browser? >>>>>>>>>> >>>>>>>>> * in signup case, if you take a token to talk to signup api, is >>>>>>>>> it also store in the browser? >>>>>>>>> >>>>>>>> >>>>>>>> In this case, Yes. Since there is no user involved yet(user has not >>>>>>>> got registered yet), it is the store that is making this call on >>>>>>>> behalf of >>>>>>>> the user so that they can get registered. >>>>>>>> >>>>>>> So how we restricted this token, talk only to signup api? with >>>>>>> scopes?? >>>>>>> >>>>>>>> >>>>>>>>>> On Tue, Jul 31, 2018 at 10:26 AM, Fazlan Nazeem <fazl...@wso2.com >>>>>>>>>> > wrote: >>>>>>>>>> >>>>>>>>>>> Yes, since the client secret will not be known to the end users >>>>>>>>>>> there is no threat in adding client_credentials grant to the store >>>>>>>>>>> app. >>>>>>>>>>> >>>>>>>>>>> On Tue, Jul 31, 2018 at 10:18 AM Uvindra Dias Jayasinha < >>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> +1 for option 1, adding the client credentials capability to >>>>>>>>>>>> the store app makes sense to support this use case. >>>>>>>>>>>> >>>>>>>>>>>> On 31 July 2018 at 10:06, Kasun Thennakoon <kasu...@wso2.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> In my opinion >>>>>>>>>>>>> >>>>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to >>>>>>>>>>>>>> existing application >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> option-1 would be more appropriate here, other than >>>>>>>>>>>>> maintaining a separate OAuth app for the self sign-up feature. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> ~KasunTe >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Jul 30, 2018 at 9:17 PM Vithursa Mahendrarajah < >>>>>>>>>>>>> vithu...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I encountered an issue while implementing feature to >>>>>>>>>>>>>> self-sign up user via UI. Access token generation using >>>>>>>>>>>>>> *client_credentials *grant type is needed to call REST API >>>>>>>>>>>>>> resource of self-sign up. As per current implementation, we have >>>>>>>>>>>>>> one DCR >>>>>>>>>>>>>> Application for publisher and one for st*o*re which does not >>>>>>>>>>>>>> support *client_credentials* grant type, hence token >>>>>>>>>>>>>> generation fails. It can be resolved in two ways: >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to >>>>>>>>>>>>>> existing application >>>>>>>>>>>>>> *Option-2: *Creating new application which supports >>>>>>>>>>>>>> *client_credentials* grant type >>>>>>>>>>>>>> Which one would be the better solution for this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Comments or suggestions are highly appreciated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 4:05 PM Uvindra Dias Jayasinha < >>>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Its great if we can implement this in our light weight key >>>>>>>>>>>>>>> manager so that we can support this on the UI >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 25 July 2018 at 15:48, Chanaka Jayasena <chan...@wso2.com >>>>>>>>>>>>>>> > wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have attached the paper mockups for the User register, >>>>>>>>>>>>>>>> signin, and change password pages. But the Captcha is not >>>>>>>>>>>>>>>> captured in the >>>>>>>>>>>>>>>> mockups. +1 to add Captcha if that is supported. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> thanks, >>>>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 3:44 PM Uvindra Dias Jayasinha < >>>>>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As far as Captcha goes, this[1] is what is already >>>>>>>>>>>>>>>>> provided by IS to achieve this. But I don't think this >>>>>>>>>>>>>>>>> functionality is >>>>>>>>>>>>>>>>> available in our default light weight key manager currently >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [1] https://docs.wso2.com/display/IS560/User+Information+ >>>>>>>>>>>>>>>>> Recovery+Service >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 25 July 2018 at 15:37, Uvindra Dias Jayasinha < >>>>>>>>>>>>>>>>> uvin...@wso2.com> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Can we add a Captcha to the user sign up page? This was >>>>>>>>>>>>>>>>>> one of the basic features we were missing OOB and there were >>>>>>>>>>>>>>>>>> quite a few >>>>>>>>>>>>>>>>>> customers who ended doing custom themes to add that >>>>>>>>>>>>>>>>>> functionality. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 25 July 2018 at 15:18, Vithursa Mahendrarajah < >>>>>>>>>>>>>>>>>> vithu...@wso2.com> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> HI Isuru/Mushthaq, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks for the suggestions. Yes, +1 to add *Forgot >>>>>>>>>>>>>>>>>>> password* option as well as *Sign-up* option in Sign-in >>>>>>>>>>>>>>>>>>> page. Will add mentioned changes. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:09 PM Mushthaq Rumy < >>>>>>>>>>>>>>>>>>> musht...@wso2.com> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> You may refer the APIM 2.2.0 or 2.5.0 version and get >>>>>>>>>>>>>>>>>>>> an idea on how the password reset function works in the UI. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:06 PM Isuru Haththotuwa < >>>>>>>>>>>>>>>>>>>> isu...@wso2.com> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I assume the anonymous user page is basically for >>>>>>>>>>>>>>>>>>>>> users to signup to the system, and by that create users >>>>>>>>>>>>>>>>>>>>> in the system. This >>>>>>>>>>>>>>>>>>>>> page looks ok, we basically need a new view when the user >>>>>>>>>>>>>>>>>>>>> clicks on the >>>>>>>>>>>>>>>>>>>>> sign in page, which has a link to reset password and >>>>>>>>>>>>>>>>>>>>> forget password >>>>>>>>>>>>>>>>>>>>> options. Sign in should have a link to the sign up page >>>>>>>>>>>>>>>>>>>>> as well. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 11:11 AM, Vithursa >>>>>>>>>>>>>>>>>>>>> Mahendrarajah <vithu...@wso2.com> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I am working on $subject. Based on current >>>>>>>>>>>>>>>>>>>>>> implementations, we do not have a way to create users >>>>>>>>>>>>>>>>>>>>>> via UI. As an initial >>>>>>>>>>>>>>>>>>>>>> step, I am implementing anonymous-user view page in API >>>>>>>>>>>>>>>>>>>>>> Store. Mock UI >>>>>>>>>>>>>>>>>>>>>> design can be found below: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> [image: anonymous_view(1).jpg] >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Comments or suggestions on are highly appreciated. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Isuru H. >>>>>>>>>>>>>>>>>>>>> +94 716 358 048* <http://wso2.com/>* >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>>>>>>>>> Email : musht...@wso2.com >>>>>>>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Chanaka Jayasena >>>>>>>>>>>>>>>> Associate Tech Lead, >>>>>>>>>>>>>>>> email: chan...@wso2.com; cell: +94 77 4464006 >>>>>>>>>>>>>>>> blog: http://chanaka3d.blogspot.com >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> *Kasun Thennakoon* >>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>>> Mobile:+94 711661919 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Regards, >>>>>>>>>>>> Uvindra >>>>>>>>>>>> >>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks & Regards, >>>>>>>>>>> >>>>>>>>>>> *Fazlan Nazeem* >>>>>>>>>>> Senior Software Engineer >>>>>>>>>>> WSO2 Inc >>>>>>>>>>> Mobile : +94772338839 >>>>>>>>>>> fazl...@wso2.com >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Rukshan Chathuranga. >>>>>>>>>> Software Engineer. >>>>>>>>>> WSO2, Inc. >>>>>>>>>> +94711822074 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Rukshan Chathuranga. >>>>>>>>> Software Engineer. >>>>>>>>> WSO2, Inc. >>>>>>>>> +94711822074 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Uvindra >>>>>>>> >>>>>>>> Mobile: 777733962 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rukshan Chathuranga. >>>>>>> Software Engineer. >>>>>>> WSO2, Inc. >>>>>>> +94711822074 >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Kasun Thennakoon* >>>>>> Software Engineer >>>>>> WSO2, Inc. >>>>>> Mobile:+94 711661919 >>>>>> >>>>> >>>>> >>>>> -- >>>>> Vithursa Mahendrarajah >>>>> Software Engineer >>>>> WSO2 Inc. - http ://wso2.com >>>>> Mobile : +947*66695643* >>>>> >>>>> >>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>> <http://wso2.com/signature>* >>>>> >>>> >>>> >>> >>> >>> -- >>> Regards, >>> Uvindra >>> >>> Mobile: 777733962 >>> >> >> > > -- > *Kasun Thennakoon* > Software Engineer > WSO2, Inc. > Mobile:+94 711661919 > -- Regards, Uvindra Mobile: 777733962
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
