Hi, I added configuration to APIConsumerAuthentication section of api manager config file as follows. Its there to determine whether gateway need to delete or keep security headers. By default it will remove oauth headers from out going message.
<RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage> Thanks. On Fri, Jan 18, 2013 at 10:30 AM, Sanjeewa Malalgoda <[email protected]>wrote: > > > On Fri, Jan 18, 2013 at 12:44 AM, Lalaji Sureshika <[email protected]>wrote: > >> Hi Sanjeewa, >> >> On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda >> <[email protected]>wrote: >> >>> Hi All. >>> At the moment we are removing authorization headers from API request >>> when it passes to actual back end (at gateway authorization handler). But >>> for some use cases we need to just pass through gateway and allow >>> actual back end to do authorization. In that case we can define that >>> resource token type as none (no application or application user). Then >>> gateway will skip authorization process but still it removes authorization >>> headers if available. But ideally it shouldn't remove them as there is no >>> actual authorization happens. Shall we go ahead and avoid removing security >>> headers? WDYT? >>> >> >> With above your suggested way,it'll handle 1) invoking a secured OAuth >> back-end endpoint when no auth scheme required at API level.But it'll not >> handle 2)invoking a secured OAuth back-end endpoint when an auth scheme >> required at API level...My question is if we are going to implement the >> above usecase,don't we need to consider 2nd my mentioned option as well and >> find a common solution for both flows.. >> > I suggested only scenario1 because we don't need to validate same oauth > token twice(of course there are such use cases as well). In that case we > can make it configurable. > >> >> And additionally,if we avoid removing security headers for an API request >> with no auth scheme required at gateway level,even the back-end endpoint >> secured or not,it'll pass the authorization header to backend..Is it ok to >> do so? >> > I think its fine. IMO whatever client passes(and not related to gateway) > should go to back end. > >> >> Thanks; >> >> >>> >>> Thanks. >>> -- >>> *Sanjeewa Malalgoda* >>> WSO2 Inc. >>> Mobile : +14084122175 | +94713068779 >>> >>> <http://sanjeewamalalgoda.blogspot.com/>blog >>> :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >>> >> >> >> >> -- >> Lalaji Sureshika >> Software Engineer; Development Technologies Team;WSO2, Inc.; >> http://wso2.com/ >> email: [email protected]; cell: +94 71 608 6811 >> blog: http://lalajisureshika.blogspot.com >> >> >> > > > -- > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +14084122175 | +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +14084122175 | +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
