What if we include the scopes as properties when generating synapse definition. In each resource we can add properties where property key identifies the resource uniquely and property value specifies the scopes. In synapse config if the same resource path is used with multiple http methods, then only one <resource> tag will be created. So in property key value we should incorporate http method and resource path both in order to uniquely identify the resource.
On Tue, Feb 26, 2019 at 11:13 AM Chathura Ekanayake <chath...@wso2.com> wrote: > @Chamod Samarajeewa <cha...@wso2.com> if we send username, password and > resource to the KM, can't we get the required result from a single call to > KM? > > Agree with Nuwan that we can reduce a DB call at KM if we store scopes in > synapse definition. Then we can sent username, password and scope (instead > of resource) to the KM. > > On Thu, Feb 21, 2019 at 2:33 PM Nuwan Dias <nuw...@wso2.com> wrote: > >> Yes, if we can maintain the resources and their respective scopes at the >> synapse definition, we can avoid doing another call to KM (and the DB) at >> the point of token validation. >> >> Also Chamod I guess we will have to come up with a design of how to keep >> those information in the synapse XML. >> >> On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <cha...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> We have currently used the AuthenticationAdmin service to authenticate a >>> user given the username and password(Basic Authentication). The next step >>> is to validate whether the scopes bound to a resource are matched with the >>> user roles. In this case, we might have to access the KeyManager several >>> times as mentioned below. >>> >>> 1) Validate user based on username and password >>> 2) To check whether the resource has a scope and if so request the scopes >>> 3) Request user roles if scopes are bound to the resource >>> >>> We thought we can minimize the performance degradation which can happen >>> due to multiple requests to the Key Manager as below. >>> >>> *Solution :* >>> >>> When a user publishes an API, the scopes bound to the API should be >>> added to the Synapse-config. Then, at the runtime we can read the synapse >>> configuration of API to check whether the resource has a scope bound and if >>> so what are the scopes without calling the Key Manager. >>> >>> I would really appreciate any feedback. Thank you. >>> >>> Best regards, >>> Chamod. >>> >>> >>> On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <cha...@wso2.com> >>> wrote: >>> >>>> Hi Harsha, >>>> >>>> Yes, the user can expose API either OAuth, Basic auth or even both with >>>> this implementation. Thank you. >>>> >>>> Best Regards, >>>> Chamod. >>>> >>>> On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <hars...@wso2.com> wrote: >>>> >>>>> Hi Chamod, >>>>> >>>>> Can user choose to expose API either OAuth or Basic authentication >>>>> with this implementation? >>>>> >>>>> We need to provide basic authentication agaist user store configured >>>>> in the key manager. Because most of the timee, gateway won't share user >>>>> stores. Please add the local user store authentication support as well. We >>>>> need to look for possible caching mechanism for this. >>>>> >>>>> Since we do have mutual authentication as a security scheme, check the >>>>> best way of providing the basic authentication >>>>> >>>>> Thanks, >>>>> Harsha >>>>> >>>>> On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <cha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Adding architecture@wso2.org >>>>>> >>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <hars...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Chamod, >>>>>>> >>>>>>> Can user choose to expose API either OAuth or Basic authentication >>>>>>> with this implementation? >>>>>>> >>>>>>> We need to provide basic authentication agaist user store configured >>>>>>> in the key manager. Because most of the timee, gateway won't share user >>>>>>> stores. Please add the local user store authentication support as well. >>>>>>> We >>>>>>> need to look for possible caching mechanism for this. >>>>>>> >>>>>>> Since we do have mutual authentication as a security scheme, check >>>>>>> the best way of providing the basic authentication >>>>>>> >>>>>>> Thanks, >>>>>>> Harsha >>>>>>> >>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <cha...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Adding architect...@wso2.com. >>>>>>>> >>>>>>>> >>>>>>>> ---------- Forwarded message --------- >>>>>>>> From: Nuwan Dias <nuw...@wso2.com> >>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>> To: Chamod Samarajeewa <cha...@wso2.com> >>>>>>>> Cc: Architecture Team <architecture-t...@wso2.com>, APIM Team < >>>>>>>> apim-gr...@wso2.com> >>>>>>>> >>>>>>>> >>>>>>>> Chamod, this email should be sent to architecture@wso2.org. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> NuwanD. >>>>>>>> >>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <cha...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I have included the information in the Github issue here as well. >>>>>>>>> >>>>>>>>> *Requirements* >>>>>>>>> >>>>>>>>> >>>>>>>>> Provide authentication for APIM Gateway with basic authentication >>>>>>>>> which uses usernames and passwords. >>>>>>>>> >>>>>>>>> *Introduction* >>>>>>>>> >>>>>>>>> >>>>>>>>> Providing feature of enabling basic authentication security schema >>>>>>>>> to product APIM Gateway along with OAuth2 token-based authentication. >>>>>>>>> The >>>>>>>>> user will be benefited with using only OAuth2 token based >>>>>>>>> authentication >>>>>>>>> alone, using basic authentication alone and using both schemas at the >>>>>>>>> same >>>>>>>>> time. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Approach* >>>>>>>>> >>>>>>>>> >>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>> >>>>>>>>> curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu"; >>>>>>>>> -H "accept: application/json" -H "Authorization: Basic $(echo -n >>>>>>>>> username:password | base64)" >>>>>>>>> >>>>>>>>> The API Authentication Handler will forward the request to Basic >>>>>>>>> Auth Authenticator or OAuth Authenticator based on the authorization >>>>>>>>> header >>>>>>>>> of the request. >>>>>>>>> >>>>>>>>> Thank you. Regards. >>>>>>>>> >>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>> cha...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>> provide Basic Authentication support. You can find the details in the >>>>>>>>>> following Github issue [1]. >>>>>>>>>> >>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>> >>>>>>>>>> Best regards, >>>>>>>>>> Chamod. >>>>>>>>>> >>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>> (m) +94 777 775 729 | (e) nuw...@wso2.com >>>>>>>> [image: Signature.jpg] >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: hars...@wso2.coim >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Associate Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: hars...@wso2.coim >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> *Nuwan Dias* | Director | WSO2 Inc. >> (m) +94 777 775 729 | (e) nuw...@wso2.com >> [image: Signature.jpg] >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Rajith Roshan* | Senior Software Engineer | WSO2 Inc. (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com> <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
