Hi, I tried oAuth approach as mentioned above.
I face few blockers since IS released version does not support fully JWT creation. This is fixed in coming release. Then as an alternative I tried adding a new grant type to achieve the task. Unfortunately it is also not fully supported. As a workaround I tried writing a custom handler to handle an existing grant type. I succeeded in creating a JWT token which consist of application id. I will start on integrating this to metadata service now. On Thu, Nov 20, 2014 at 1:41 PM, Nguyen Anh Tu <ng.t...@gmail.com> wrote: > CloudFoundry currently uses Oauth2 in their uaa service. > I'm +1. > > --Tuna > > On Thu, Nov 20, 2014 at 2:48 PM, Lakmal Warusawithana <lak...@wso2.com> > wrote: > >> I'm +1 for oAuth with non expiry token. >> >> On Thu, Nov 20, 2014 at 12:39 PM, Udara Liyanage <ud...@wso2.com> wrote: >> >>> Hi Lakmal, Imesh >>> >>> Came up with another solution. >>> >>> *Prerequisites* : SM's public key should be installed into metadata >>> service >>> >>> SM generate a key pair for each instance at the time of composite >>> application deployment and that will be sing by SM >>> Common name of the public key is set to applicationID >>> generated key pair is sent to the instance as payload >>> Cartridge agent generates a token(most probably a JWT token) and will >>> sign it using the given keys >>> When calling API, agent sends that token with the request >>> Metadata service can validate the public key of the instance since it is >>> signed by SM which metadata service already trusts. >>> Metadata service can do authorization using token. >>> >>> On Wed, Nov 19, 2014 at 5:42 PM, Udara Liyanage <ud...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> Below is the flow which is discussed so far. >>>> >>>> 1) User/tenant deploys and aplication id=appId >>>> 2) SM calls IS and creates an oAuth APP which will return consumer key >>>> and consumer secret >>>> 3) SM again calls the IS with consumer keys, secrets and appid as the >>>> scope >>>> 4) IS generates a JWT token which consists of the appid >>>> 5) SM sends the token to the instance in payload >>>> 6) When cartridge agent calls metadata service API, it should send the >>>> token >>>> 7) Then metadata service and validate the token. >>>> 8) SM can do the authorization too by matching the appid in token and >>>> requested application id in API call >>>> >>>> The blocking issue: >>>> When token is expired, cartridge agent can not renew the token since >>>> it does not have username/password or refresh token. >>>> >>>> However for the moment since we retrieve the metadata only at >>>> startup (which may changes in future) we can live with it for now. But it >>>> is not an extensible solution. >>>> As an alternative we can increase the expiration time of the token, >>>> not sure this is a recommended way of doing things. >>>> >>>> Your thoughts are highly appreciated. >>>> >>>> >>>> >>>> On Wed, Nov 19, 2014 at 3:14 PM, Udara Liyanage <ud...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I installed OAuth feature of WSO2 IS and was able to generate a token >>>>> and validate a token by invoking the admin services using SOAP UI. I will >>>>> now try to do the same with code at the time of application deployment. >>>>> >>>>> Found several issues >>>>> We already use SSO feature, so newest oauth feature did not work >>>>> due to CNF issues. >>>>> identity is not compatible with oauth feature >>>>> >>>>> >>>>> On Tue, Nov 18, 2014 at 12:59 PM, Udara Liyanage <ud...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Sumedha, >>>>>> >>>>>> >>>>>> Currently "no". We need to support both Single JVM and destributed >>>>>> setups. For single JVM, we may need to install either API manager >>>>>> key-manager feature or IS oAuth feature. >>>>>> >>>>>> On Tue, Nov 18, 2014 at 12:31 PM, Sumedha Rubasinghe < >>>>>> sumedh...@gmail.com> wrote: >>>>>> >>>>>>> Udara, >>>>>>> Do you have WSO2 API Manager/IS running? >>>>>>> >>>>>>> On Tue, Nov 18, 2014 at 11:00 AM, Udara Liyanage <ud...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Currently we use username/password base authentication when >>>>>>>> retrieving and publishing metadata via metadata service API. The issue >>>>>>>> with >>>>>>>> this approach is one client can access/alter other app's data if it >>>>>>>> know >>>>>>>> the application id. >>>>>>>> I suggest to use oAuth to secure resources and let the client >>>>>>>> access only the metadata related to its application. >>>>>>>> I am doing R&D on possible ways of accomplishing this task and will >>>>>>>> update the thread on my finding. Currently I am assesing the >>>>>>>> feasibility of >>>>>>>> WSO2 IS Oauth feature and WSO2APIM key manager feature. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> Udara Liyanage >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc.: http://wso2.com >>>>>>>> lean. enterprise. middleware >>>>>>>> >>>>>>>> web: http://udaraliyanage.wordpress.com >>>>>>>> phone: +94 71 443 6897 >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Udara Liyanage >>>>>> Software Engineer >>>>>> WSO2, Inc.: http://wso2.com >>>>>> lean. enterprise. middleware >>>>>> >>>>>> web: http://udaraliyanage.wordpress.com >>>>>> phone: +94 71 443 6897 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Udara Liyanage >>>>> Software Engineer >>>>> WSO2, Inc.: http://wso2.com >>>>> lean. enterprise. middleware >>>>> >>>>> web: http://udaraliyanage.wordpress.com >>>>> phone: +94 71 443 6897 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Udara Liyanage >>>> Software Engineer >>>> WSO2, Inc.: http://wso2.com >>>> lean. enterprise. middleware >>>> >>>> web: http://udaraliyanage.wordpress.com >>>> phone: +94 71 443 6897 >>>> >>> >>> >>> >>> -- >>> >>> Udara Liyanage >>> Software Engineer >>> WSO2, Inc.: http://wso2.com >>> lean. enterprise. middleware >>> >>> web: http://udaraliyanage.wordpress.com >>> phone: +94 71 443 6897 >>> >> >> >> >> -- >> Lakmal Warusawithana >> Vice President, Apache Stratos >> Director - Cloud Architecture; WSO2 Inc. >> Mobile : +94714289692 >> Blog : http://lakmalsview.blogspot.com/ >> >> > -- Udara Liyanage Software Engineer WSO2, Inc.: http://wso2.com lean. enterprise. middleware web: http://udaraliyanage.wordpress.com phone: +94 71 443 6897