On Sat, Jan 19, 2013 at 8:04 PM, Lalaji Sureshika <[email protected]> wrote:
> Hi, > > On Sat, Jan 19, 2013 at 12:48 PM, Amila Suriarachchi <[email protected]>wrote: > >> >> >> On Fri, Jan 18, 2013 at 12:44 AM, Lalaji Sureshika <[email protected]>wrote: >> >>> Hi Sanjeewa, >>> >>> On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda >>> <[email protected]>wrote: >>> >>>> Hi All. >>>> At the moment we are removing authorization headers from API request >>>> when it passes to actual back end (at gateway authorization handler). But >>>> for some use cases we need to just pass through gateway and allow >>>> actual back end to do authorization. In that case we can define that >>>> resource token type as none (no application or application user). Then >>>> gateway will skip authorization process but still it removes authorization >>>> headers if available. But ideally it shouldn't remove them as there is no >>>> actual authorization happens. Shall we go ahead and avoid removing security >>>> headers? WDYT? >>>> >>> >>> With above your suggested way,it'll handle 1) invoking a secured OAuth >>> back-end endpoint when no auth scheme required at API level.But it'll not >>> handle 2)invoking a secured OAuth back-end endpoint when an auth scheme >>> required at API level... >>> >> >> Is this a practical case? First question is who has issued this OAuth >> token. If API Manager has issued it then authorisation should happen at the >> API Manager level. If back end service has issued it it should be at the >> back end. Since this token is dependant of the issuer I feel practically we >> won't come to this situation. >> > > I meant from the above 2nd use case is say a user trying to create an > API from WSO2 APIM for a back-end endpoint for eg: facebook/twitter > endpoints [1] while keeping OAuth tokens required to authenticate in both > APIM gateway level and backend server level... > In this case we need to think why he needs to send this message through the API Manager. If it is just for monitoring case he need just to pass the token through that. I think the problem mention here is that not being able to do that. For an example in API manager 1.3.0 you can skip authentication by setting the authorisation level to none. But that will drop the Authorisation header. Therefore in order to support this properly we need to let users to send Authorisation header through API manager for non secure case. thanks, Amila. > > [1] > http://stackoverflow.com/questions/12485734/adding-a-api-to-wso2-api-manager-that-has-oauth-credentials > > Thanks; > >> >> >> >>> My question is if we are going to implement the above usecase,don't we >>> need to consider 2nd my mentioned option as well and find a common solution >>> for both flows.. >>> >>> And additionally,if we avoid removing security headers for an API >>> request with no auth scheme required at gateway level,even the back-end >>> endpoint secured or not,it'll pass the authorization header to backend..Is >>> it ok to do so? >>> >> >> I think so. In this case Client sends an OAuth token. So either at API >> Manager or Back end some authorisation should happen. >> >> For me, if API manager does the authorisation, it can drop the header >> since the token is intendant for API Manager. If not it has to forward >> that since back end requires that. If we put an attribute to configure it >> may either drop or forward and hence may not be able to properly handle the >> situation where people use both secured and non secured APIs at API Manager. >> >> thanks, >> Amila. >> >> >>> >>> Thanks; >>> >>> >>>> >>>> Thanks. >>>> -- >>>> *Sanjeewa Malalgoda* >>>> WSO2 Inc. >>>> Mobile : +14084122175 | +94713068779 >>>> >>>> <http://sanjeewamalalgoda.blogspot.com/>blog >>>> :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >>>> >>> >>> >>> >>> -- >>> Lalaji Sureshika >>> Software Engineer; Development Technologies Team;WSO2, Inc.; >>> http://wso2.com/ >>> email: [email protected]; cell: +94 71 608 6811 >>> blog: http://lalajisureshika.blogspot.com >>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Amila Suriarachchi* >> >> Software Architect >> WSO2 Inc. ; http://wso2.com >> lean . enterprise . middleware >> >> phone : +94 71 3082805 >> > > > > -- > Lalaji Sureshika > Software Engineer; Development Technologies Team;WSO2, Inc.; > http://wso2.com/ > email: [email protected]; cell: +94 71 608 6811 > blog: http://lalajisureshika.blogspot.com > > > -- *Amila Suriarachchi* Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
