Hi Folks,
Please refer $Subject and complete explanation as follows,
Integrate OAuth 2.0 to Dev governance project
Current Developer-gov implementation we allow users to input their
credentials using WSO2 ES admin console. That isn't a good approach and we
thought of going with OAuth implementation.
figure 1 : Architecture view
Requirements
-
Acquire OAuth tokens from IS to perform API calls, since it is the best
possible ( secured ) scenario
-
Integrate LDAP
Status of authentication framework support of the each APIs as follows
API Authentication
-
Jira Aggregate API
-
Why aggregate API ?
-
Jira REST doesn't allow us to create a project through its API but
SOAP API does, therefore we came to a conclusion to have an
aggregate API
-
Jira REST API - Rest API does supports OAuth
[1<https://confluence.atlassian.com/display/JIRA/Allowing+OAuth+Access>]
-
OAuth REST example [
2<https://developer.atlassian.com/display/JIRADEV/JIRA+REST+API+Example+-+OAuth+authentication>]
-
Jira SOAP API - Soap API Doesn't supports OAuth
[3<https://answers.atlassian.com/questions/50635/jira-4-4-rpc-soap-oauth>]
-
There is a mechanism implemented but OAuth is not possible over
SOAP API, only REST will support. (Rest has its own
limitations when it
comes to create jira projects.)
[4<https://docs.atlassian.com/rpc-jira-plugin/4.4/com/atlassian/jira/rpc/soap/JiraSoapService.html#login%28java.lang.String,%20java.lang.String%29>
]
-
Jenkins REST API
-
REST API itself doesn't supports OAuth. But there is model called
plug-in which will help us to created plug-ins like wrappers to enforce
OAuth [5<https://wiki.jenkins-ci.org/display/JENKINS/OAuth+Credentials>
]
-
Redmine REST API [6<http://www.redmine.org/projects/redmine/wiki/Rest_api>]
-
Authentication
-
Most of the time, the API requires authentication. To enable the
API-style authentication, you have to check Enable REST API in
Administration > Settings > Authentication. Then,
authentication can be
done in 2 different ways:
-
using your regular login/password via HTTP Basic authentication.
-
using your API key which is a handy way to avoid putting a
password in a script. The API key may be attached to each
request in one of
the following way:
-
passed in as a "key" parameter
-
passed in as a username with a random password via HTTP
Basic authentication
-
passed in as a "X-Redmine-API-Key" HTTP header (added in
Redmine 1.1.0)
You can find your API key on your account page ( /my/account ) when logged
in, on the right-hand pane of the default layout.
-
GitHub REST API
-
GitHub REST API does supports OAuth
[7<http://developer.github.com/v3/#authentication>]but
if we are planning to go ahead with that implementation following
constraints will occur
-
Since everybody uses their own GitHub accounts we have to rule out
LDAP integration
-
Integration with WSO2 IS
-
Bamboo REST API
[8<https://developer.atlassian.com/display/BAMBOODEV/Using+the+Bamboo+REST+APIs>]
Bamboo can be integrated with LDAP for the authentication and authorization
of LDAP users
-
REST Authentication
-
Log into Bamboo manually. You will then be authenticated for the
REST APIs for that same browser session.
-
Use HTTP basic authentication (Authorization HTTP header)
containing 'Basic username:password <http://usernamepassword>'.
The URL must also contain the 'os_authType=basic' query parameter.
-
Example:
wget --http-user=admin --http-password=admin
http://localhost:8085/rest/api/latest/plan?os_authType=basic
curl --user admin:admin
User Store integration
-
Four of the given five APIs support LDAP integration. GitHub will be a
special case since devs using their private accounts.
Moral of the story as follows
-
OAuth support status of given APIs
-
Jira aggregate API
-
Jira REST - Yes
-
Jira SOAP - NO
-
Jenkins REST API - NO, but need to write a plug-in
-
Bamboo REST - NO
-
GitHub REST - YES
-
Redmine REST API - NO, but need to write a plug-in
Need a proper model if we are going ahead with OAuth but some API does
support OAuth some doesn't
*Alternative approach*
-
Secure vault
-
Create a superuser account in each product (API tools ) who has the
right to perform high priority API calls such as 'Creating
Project'. store
superuser credentials in a config file and perform secure vault
so we don't
need OAuth approach - Similar approach used by Appfactory
- Integrate WSO2 API Manager
- So it can communicate with WSO2 ES via OAuth.
Please provide your feedback on this.
Thanks !
Pubudu
--
*Pubudu Dissanayake*
Software Engineer
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
Mobile: 0775503304
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
