On Thu, Oct 20, 2016 at 9:36 PM, Isura Karunaratne <is...@wso2.com> wrote:
> We need to secure recovery APIs and self-registration APIs ( > *api/identity/recovery* and *api/identity/user*). > I've been looking at securing self-registration APIs (*api/identity/user) *with Generic Authentication Mechanism to all the REST APIs in [1] for the purpose of testing IDENTITY-4742 feature. Wires in IDENTITY-4742 works as expected. However few concerns were raised as I was testing self-registration REST API. 1. What is the correct Authentication mechanism for securing this API ? MutualAuth?? 2. When basicAuth headers are sent to self-registration API, authenticated users can create new users in cross domains(in another tenant). Shouldn't this be handled in API level? [1] https://wso2.org/jira/browse/IDENTITY-4742 Regards, -Ayesha -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palmgrove Avenue, Colombo 3 E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
