Hi Aliosha,'
In OAuth, if you use implicit grant type, the token will append as a URI
fragment. Else you will get token with additional parameters according to
the grant type which you specified in response body.
If you use https, then your communication between server and client will be
secured. When you requesting resource, you will set token as Authorization
bearer("Authorization :Bearer 9nEQnijLZ0Gi0gZ6a3pZICktVUca") header
parameter. In server side you can validate it before accessing the
resource. Why you need ESB to do the validation other than doing the
validation in server side? Is the token validation API separated? If you
use ESB, you can get the bearer token and call your token validation
service to check whether token is valid. You can achieve this via ESB. But
I'm not clear why you need that. As Malaka suggested, you can use custom
mediators to achieve this.
[1] - https://docs.wso2.com/display/AM170/Deploying+and+Testing+YouTube+API
[2] -
http://stackoverflow.com/questions/26987272/how-to-extract-http-headers-using-a-mediator
[3] - https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
[4]-
http://wso2.com/library/articles/2014/02/securing-your-web-service-with-oauth2-using-wso2-identity-server-1/
Thanks,
Harsha
On Thu, Jan 8, 2015 at 6:21 AM, Aliosha <[email protected]> wrote:
> in my use case i have these 2 architectural configurations:
>
> 1) FrontEnd Client Application ---------------------------------> Services
> Provider --- DB (tokens)
>
> 2) FrontEnd Client Application ----> WSO2 ESB 4.8.1 ----> Services
> Provider --- DB (tokens)
>
> The only difference between 1 and 2 is the introduction of the WSO2 ESB
> 4.8.1 mediating the client requests.
>
> For security purpose i developed an OAuth 2.0 module installed on the
> client side and an OAuth 2.0 sever module on the Service Provider Side ().
>
> In the first configuration, the OAuthServer module produces the token
> regularly and sends it the client side module which will use it for the
> next requests for Services Provider Resources. The tokens are stored inside
> a DB by the Service Provider.
>
> My question deals with the second configuration in which there is the WSO2
> ESB in the middle.
>
> I know that the OAuth token is appended to the client request url... so,
> the behaviour i expected from the ESB is that the token would transparently
> pass through the ESB reaching the Service Provider for accessing its
> resources.
>
> Now... what can i do if i wanted to introduce an additional security level
> in the WSO2 ESB?
>
> What i want is the ESB can validate the token before the request reach the
> Service Provider. If the token is correct the request would be forwarded to
> the Service Provider, on the contrary if the token is not validated, the
> request flow is dropped by the ESB.
>
> Is it possible to implement such a configuration? How?
>
>
> Regards.
>
> Alessio Orlando
>
--
Harsha Kumara
Software Engineer, WSO2 Inc.
Mobile: +94775505618
Blog:harshcreationz.blogspot.com
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
