I'm +1 for oAuth with non expiry token. On Thu, Nov 20, 2014 at 12:39 PM, Udara Liyanage <ud...@wso2.com> wrote:
> Hi Lakmal, Imesh > > Came up with another solution. > > *Prerequisites* : SM's public key should be installed into metadata > service > > SM generate a key pair for each instance at the time of composite > application deployment and that will be sing by SM > Common name of the public key is set to applicationID > generated key pair is sent to the instance as payload > Cartridge agent generates a token(most probably a JWT token) and will sign > it using the given keys > When calling API, agent sends that token with the request > Metadata service can validate the public key of the instance since it is > signed by SM which metadata service already trusts. > Metadata service can do authorization using token. > > On Wed, Nov 19, 2014 at 5:42 PM, Udara Liyanage <ud...@wso2.com> wrote: > >> Hi, >> >> Below is the flow which is discussed so far. >> >> 1) User/tenant deploys and aplication id=appId >> 2) SM calls IS and creates an oAuth APP which will return consumer key >> and consumer secret >> 3) SM again calls the IS with consumer keys, secrets and appid as the >> scope >> 4) IS generates a JWT token which consists of the appid >> 5) SM sends the token to the instance in payload >> 6) When cartridge agent calls metadata service API, it should send the >> token >> 7) Then metadata service and validate the token. >> 8) SM can do the authorization too by matching the appid in token and >> requested application id in API call >> >> The blocking issue: >> When token is expired, cartridge agent can not renew the token since >> it does not have username/password or refresh token. >> >> However for the moment since we retrieve the metadata only at startup >> (which may changes in future) we can live with it for now. But it is not an >> extensible solution. >> As an alternative we can increase the expiration time of the token, >> not sure this is a recommended way of doing things. >> >> Your thoughts are highly appreciated. >> >> >> >> On Wed, Nov 19, 2014 at 3:14 PM, Udara Liyanage <ud...@wso2.com> wrote: >> >>> Hi, >>> >>> I installed OAuth feature of WSO2 IS and was able to generate a token >>> and validate a token by invoking the admin services using SOAP UI. I will >>> now try to do the same with code at the time of application deployment. >>> >>> Found several issues >>> We already use SSO feature, so newest oauth feature did not work due >>> to CNF issues. >>> identity is not compatible with oauth feature >>> >>> >>> On Tue, Nov 18, 2014 at 12:59 PM, Udara Liyanage <ud...@wso2.com> wrote: >>> >>>> Hi Sumedha, >>>> >>>> >>>> Currently "no". We need to support both Single JVM and destributed >>>> setups. For single JVM, we may need to install either API manager >>>> key-manager feature or IS oAuth feature. >>>> >>>> On Tue, Nov 18, 2014 at 12:31 PM, Sumedha Rubasinghe < >>>> sumedh...@gmail.com> wrote: >>>> >>>>> Udara, >>>>> Do you have WSO2 API Manager/IS running? >>>>> >>>>> On Tue, Nov 18, 2014 at 11:00 AM, Udara Liyanage <ud...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Currently we use username/password base authentication when >>>>>> retrieving and publishing metadata via metadata service API. The issue >>>>>> with >>>>>> this approach is one client can access/alter other app's data if it know >>>>>> the application id. >>>>>> I suggest to use oAuth to secure resources and let the client access >>>>>> only the metadata related to its application. >>>>>> I am doing R&D on possible ways of accomplishing this task and will >>>>>> update the thread on my finding. Currently I am assesing the feasibility >>>>>> of >>>>>> WSO2 IS Oauth feature and WSO2APIM key manager feature. >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Udara Liyanage >>>>>> Software Engineer >>>>>> WSO2, Inc.: http://wso2.com >>>>>> lean. enterprise. middleware >>>>>> >>>>>> web: http://udaraliyanage.wordpress.com >>>>>> phone: +94 71 443 6897 >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Udara Liyanage >>>> Software Engineer >>>> WSO2, Inc.: http://wso2.com >>>> lean. enterprise. middleware >>>> >>>> web: http://udaraliyanage.wordpress.com >>>> phone: +94 71 443 6897 >>>> >>> >>> >>> >>> -- >>> >>> Udara Liyanage >>> Software Engineer >>> WSO2, Inc.: http://wso2.com >>> lean. enterprise. middleware >>> >>> web: http://udaraliyanage.wordpress.com >>> phone: +94 71 443 6897 >>> >> >> >> >> -- >> >> Udara Liyanage >> Software Engineer >> WSO2, Inc.: http://wso2.com >> lean. enterprise. middleware >> >> web: http://udaraliyanage.wordpress.com >> phone: +94 71 443 6897 >> > > > > -- > > Udara Liyanage > Software Engineer > WSO2, Inc.: http://wso2.com > lean. enterprise. middleware > > web: http://udaraliyanage.wordpress.com > phone: +94 71 443 6897 > -- Lakmal Warusawithana Vice President, Apache Stratos Director - Cloud Architecture; WSO2 Inc. Mobile : +94714289692 Blog : http://lakmalsview.blogspot.com/
