Hi,

Currently authentication handlers of Stratos REST API check whether user is
valid. If the user is valid, the API call is allowed to proceed, no user
information is set to carbon context. This is OK since CC, AS services are
not secured services. The issue occurs when a component tries to call an
admin service. In order to call an admin service, username password or an
session is required.

For example AS need to call IS admin services in order to created token.
Normal way of calling admin service is, first obtain a session calling
AuthenticationAdmin admin service using username,password. Then uses the
obtained token for subsequent admin calls. However at the time of API call
hits carbon components, no user information is included.

Currently as an alternative, I added a JWT authenticator, which
authenticate every admin call.
I think authenticating each admin call using JWT authenticator is an
overhead since it consist of encrypting messages.

Possible solutions came to my mind.

1) Add oAuth to Stratos API too.
2) User get a session first time and uses it for subsequent call
There are two session, one is between user and Stratos web app, second is
between web app and carbon. When a user first call /login API with
username/password, it calls AuthenticationAdmin and get a session which is
sent back to the client which he uses for subsequent calls. Currently
/session endpoint does a similar thing, however it returns a session in web
app, not from Carbon.

3) Stratos authentication handlers call carbon authentication handlers
directly.
I am not very clear about the workflow, however rather than we duplicating
authenticating handlers in stratos web app, it may be better to call Carbon
authentication handlers.

What are the best practices in this kind of a scenario, like to see some
responses.



[1]
http://nuwanwimalasekara.blogspot.com/2013/02/invoking-wso2-carbon-admin-services.html

-- 

Udara Liyanage
Software Engineer
WSO2, Inc.: http://wso2.com
lean. enterprise. middleware

web: http://udaraliyanage.wordpress.com
phone: +94 71 443 6897

Reply via email to