Hi Udara, As I know you completed this task, can you please send information on using this feature?
Thanks On Fri, Nov 28, 2014 at 2:57 PM, Udara Liyanage <ud...@wso2.com> wrote: > Hi, > > I tried oAuth approach as mentioned above. > > I face few blockers since IS released version does not support fully JWT > creation. This is fixed in coming release. > Then as an alternative I tried adding a new grant type to achieve the > task. Unfortunately it is also not fully supported. > > As a workaround I tried writing a custom handler to handle an existing > grant type. I succeeded in creating a JWT token which consist of > application id. > > I will start on integrating this to metadata service now. > > > On Thu, Nov 20, 2014 at 1:41 PM, Nguyen Anh Tu <ng.t...@gmail.com> wrote: > >> CloudFoundry currently uses Oauth2 in their uaa service. >> I'm +1. >> >> --Tuna >> >> On Thu, Nov 20, 2014 at 2:48 PM, Lakmal Warusawithana <lak...@wso2.com> >> wrote: >> >>> I'm +1 for oAuth with non expiry token. >>> >>> On Thu, Nov 20, 2014 at 12:39 PM, Udara Liyanage <ud...@wso2.com> wrote: >>> >>>> Hi Lakmal, Imesh >>>> >>>> Came up with another solution. >>>> >>>> *Prerequisites* : SM's public key should be installed into metadata >>>> service >>>> >>>> SM generate a key pair for each instance at the time of composite >>>> application deployment and that will be sing by SM >>>> Common name of the public key is set to applicationID >>>> generated key pair is sent to the instance as payload >>>> Cartridge agent generates a token(most probably a JWT token) and will >>>> sign it using the given keys >>>> When calling API, agent sends that token with the request >>>> Metadata service can validate the public key of the instance since it >>>> is signed by SM which metadata service already trusts. >>>> Metadata service can do authorization using token. >>>> >>>> On Wed, Nov 19, 2014 at 5:42 PM, Udara Liyanage <ud...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Below is the flow which is discussed so far. >>>>> >>>>> 1) User/tenant deploys and aplication id=appId >>>>> 2) SM calls IS and creates an oAuth APP which will return consumer key >>>>> and consumer secret >>>>> 3) SM again calls the IS with consumer keys, secrets and appid as the >>>>> scope >>>>> 4) IS generates a JWT token which consists of the appid >>>>> 5) SM sends the token to the instance in payload >>>>> 6) When cartridge agent calls metadata service API, it should send the >>>>> token >>>>> 7) Then metadata service and validate the token. >>>>> 8) SM can do the authorization too by matching the appid in token and >>>>> requested application id in API call >>>>> >>>>> The blocking issue: >>>>> When token is expired, cartridge agent can not renew the token >>>>> since it does not have username/password or refresh token. >>>>> >>>>> However for the moment since we retrieve the metadata only at >>>>> startup (which may changes in future) we can live with it for now. But it >>>>> is not an extensible solution. >>>>> As an alternative we can increase the expiration time of the token, >>>>> not sure this is a recommended way of doing things. >>>>> >>>>> Your thoughts are highly appreciated. >>>>> >>>>> >>>>> >>>>> On Wed, Nov 19, 2014 at 3:14 PM, Udara Liyanage <ud...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I installed OAuth feature of WSO2 IS and was able to generate a token >>>>>> and validate a token by invoking the admin services using SOAP UI. I will >>>>>> now try to do the same with code at the time of application deployment. >>>>>> >>>>>> Found several issues >>>>>> We already use SSO feature, so newest oauth feature did not work >>>>>> due to CNF issues. >>>>>> identity is not compatible with oauth feature >>>>>> >>>>>> >>>>>> On Tue, Nov 18, 2014 at 12:59 PM, Udara Liyanage <ud...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Sumedha, >>>>>>> >>>>>>> >>>>>>> Currently "no". We need to support both Single JVM and destributed >>>>>>> setups. For single JVM, we may need to install either API manager >>>>>>> key-manager feature or IS oAuth feature. >>>>>>> >>>>>>> On Tue, Nov 18, 2014 at 12:31 PM, Sumedha Rubasinghe < >>>>>>> sumedh...@gmail.com> wrote: >>>>>>> >>>>>>>> Udara, >>>>>>>> Do you have WSO2 API Manager/IS running? >>>>>>>> >>>>>>>> On Tue, Nov 18, 2014 at 11:00 AM, Udara Liyanage <ud...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Currently we use username/password base authentication when >>>>>>>>> retrieving and publishing metadata via metadata service API. The >>>>>>>>> issue with >>>>>>>>> this approach is one client can access/alter other app's data if it >>>>>>>>> know >>>>>>>>> the application id. >>>>>>>>> I suggest to use oAuth to secure resources and let the client >>>>>>>>> access only the metadata related to its application. >>>>>>>>> I am doing R&D on possible ways of accomplishing this task and >>>>>>>>> will update the thread on my finding. Currently I am assesing the >>>>>>>>> feasibility of WSO2 IS Oauth feature and WSO2APIM key manager feature. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Udara Liyanage >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc.: http://wso2.com >>>>>>>>> lean. enterprise. middleware >>>>>>>>> >>>>>>>>> web: http://udaraliyanage.wordpress.com >>>>>>>>> phone: +94 71 443 6897 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Udara Liyanage >>>>>>> Software Engineer >>>>>>> WSO2, Inc.: http://wso2.com >>>>>>> lean. enterprise. middleware >>>>>>> >>>>>>> web: http://udaraliyanage.wordpress.com >>>>>>> phone: +94 71 443 6897 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Udara Liyanage >>>>>> Software Engineer >>>>>> WSO2, Inc.: http://wso2.com >>>>>> lean. enterprise. middleware >>>>>> >>>>>> web: http://udaraliyanage.wordpress.com >>>>>> phone: +94 71 443 6897 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Udara Liyanage >>>>> Software Engineer >>>>> WSO2, Inc.: http://wso2.com >>>>> lean. enterprise. middleware >>>>> >>>>> web: http://udaraliyanage.wordpress.com >>>>> phone: +94 71 443 6897 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Udara Liyanage >>>> Software Engineer >>>> WSO2, Inc.: http://wso2.com >>>> lean. enterprise. middleware >>>> >>>> web: http://udaraliyanage.wordpress.com >>>> phone: +94 71 443 6897 >>>> >>> >>> >>> >>> -- >>> Lakmal Warusawithana >>> Vice President, Apache Stratos >>> Director - Cloud Architecture; WSO2 Inc. >>> Mobile : +94714289692 >>> Blog : http://lakmalsview.blogspot.com/ >>> >>> >> > > > -- > > Udara Liyanage > Software Engineer > WSO2, Inc.: http://wso2.com > lean. enterprise. middleware > > web: http://udaraliyanage.wordpress.com > phone: +94 71 443 6897 > -- Imesh Gunaratne Technical Lead, WSO2 Committer & PMC Member, Apache Stratos
