Hi Lakmal, Imesh Came up with another solution.
*Prerequisites* : SM's public key should be installed into metadata service SM generate a key pair for each instance at the time of composite application deployment and that will be sing by SM Common name of the public key is set to applicationID generated key pair is sent to the instance as payload Cartridge agent generates a token(most probably a JWT token) and will sign it using the given keys When calling API, agent sends that token with the request Metadata service can validate the public key of the instance since it is signed by SM which metadata service already trusts. Metadata service can do authorization using token. On Wed, Nov 19, 2014 at 5:42 PM, Udara Liyanage <ud...@wso2.com> wrote: > Hi, > > Below is the flow which is discussed so far. > > 1) User/tenant deploys and aplication id=appId > 2) SM calls IS and creates an oAuth APP which will return consumer key and > consumer secret > 3) SM again calls the IS with consumer keys, secrets and appid as the scope > 4) IS generates a JWT token which consists of the appid > 5) SM sends the token to the instance in payload > 6) When cartridge agent calls metadata service API, it should send the > token > 7) Then metadata service and validate the token. > 8) SM can do the authorization too by matching the appid in token and > requested application id in API call > > The blocking issue: > When token is expired, cartridge agent can not renew the token since it > does not have username/password or refresh token. > > However for the moment since we retrieve the metadata only at startup > (which may changes in future) we can live with it for now. But it is not an > extensible solution. > As an alternative we can increase the expiration time of the token, not > sure this is a recommended way of doing things. > > Your thoughts are highly appreciated. > > > > On Wed, Nov 19, 2014 at 3:14 PM, Udara Liyanage <ud...@wso2.com> wrote: > >> Hi, >> >> I installed OAuth feature of WSO2 IS and was able to generate a token and >> validate a token by invoking the admin services using SOAP UI. I will now >> try to do the same with code at the time of application deployment. >> >> Found several issues >> We already use SSO feature, so newest oauth feature did not work due >> to CNF issues. >> identity is not compatible with oauth feature >> >> >> On Tue, Nov 18, 2014 at 12:59 PM, Udara Liyanage <ud...@wso2.com> wrote: >> >>> Hi Sumedha, >>> >>> >>> Currently "no". We need to support both Single JVM and destributed >>> setups. For single JVM, we may need to install either API manager >>> key-manager feature or IS oAuth feature. >>> >>> On Tue, Nov 18, 2014 at 12:31 PM, Sumedha Rubasinghe < >>> sumedh...@gmail.com> wrote: >>> >>>> Udara, >>>> Do you have WSO2 API Manager/IS running? >>>> >>>> On Tue, Nov 18, 2014 at 11:00 AM, Udara Liyanage <ud...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Currently we use username/password base authentication when retrieving >>>>> and publishing metadata via metadata service API. The issue with this >>>>> approach is one client can access/alter other app's data if it know the >>>>> application id. >>>>> I suggest to use oAuth to secure resources and let the client access >>>>> only the metadata related to its application. >>>>> I am doing R&D on possible ways of accomplishing this task and will >>>>> update the thread on my finding. Currently I am assesing the feasibility >>>>> of >>>>> WSO2 IS Oauth feature and WSO2APIM key manager feature. >>>>> >>>>> >>>>> -- >>>>> >>>>> Udara Liyanage >>>>> Software Engineer >>>>> WSO2, Inc.: http://wso2.com >>>>> lean. enterprise. middleware >>>>> >>>>> web: http://udaraliyanage.wordpress.com >>>>> phone: +94 71 443 6897 >>>>> >>>> >>>> >>> >>> >>> -- >>> >>> Udara Liyanage >>> Software Engineer >>> WSO2, Inc.: http://wso2.com >>> lean. enterprise. middleware >>> >>> web: http://udaraliyanage.wordpress.com >>> phone: +94 71 443 6897 >>> >> >> >> >> -- >> >> Udara Liyanage >> Software Engineer >> WSO2, Inc.: http://wso2.com >> lean. enterprise. middleware >> >> web: http://udaraliyanage.wordpress.com >> phone: +94 71 443 6897 >> > > > > -- > > Udara Liyanage > Software Engineer > WSO2, Inc.: http://wso2.com > lean. enterprise. middleware > > web: http://udaraliyanage.wordpress.com > phone: +94 71 443 6897 > -- Udara Liyanage Software Engineer WSO2, Inc.: http://wso2.com lean. enterprise. middleware web: http://udaraliyanage.wordpress.com phone: +94 71 443 6897
