Hi,
Using OAuth will be beneficial future-proof as well. You can use it
easily when the APIs are exposed to the public. +1 for using OAuth for API
Security.
Thanks,
Best Regards,
Lakshitha Harshan
Software Engineer
Mobile: *+94724423048*
Email: hars...@wso2.com
Blog :
Thank you everyone for your valuable inputs.
@Udara,
These API endpoints are used by ES publisher App itself and will be invoked
by authorized third party as well. In that way we have enabled accessing ES
back office via remote clients as well.
According to suggestions in this thread having
Hi,
+1 for OAuth2. Because publisher APIs can be use in mobile devices.
Ex -: customer implements mobile app to publish assets
Also need to think about how customer can extend (customize) the security
with our extension model.
Ex-: Customer writes a extended publisher API and need to give
Hi,
Having basic oauth with HTTPS is kind of secured as long as no third party
is invoking the APIs.
Touched, not typed. Erroneous words are a feature, not a typo.
___
Architecture mailing list
Architecture@wso2.org
I believe this is a perfect example for API Everywhere concept. In EMM -
some APIs are exposed to the devices with this concept. Basically a tomcat
valve validates the security tokens - the security protocol used here is
OAuth.
Another question I have on the BackOffice API is - whether this is
Another question I have on the BackOffice API is - whether this is the
same API used by the Publisher App itself?
yeap
On Fri, Oct 17, 2014 at 4:09 PM, Chan duli...@wso2.com wrote:
I believe this is a perfect example for API Everywhere concept. In EMM -
some APIs are exposed to the devices
Hi,
The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
endpoint is one example.
If BasicAuth used, client side might have to store the username/password.
If OAuth used, and the API is accessed via a browser, user can be
redirected to the authorization Server to get
IMO storing username and password is not the recommended way. So +1 for
oauth security. May be we can have both oauth and basic auth if needed. But
if these endpoints are for third party developers who will write some
client code using it I think oauth is the best way.
Thanks Regards
Danushka
Hi Ayesha,
IMO,if you have an intention to expose your API to third party developers
best way to secure is using oAuth2 where third party developer can generate
his consumer id/secret and generate an API token and use that token to
access APIs. Wso2APIM is using that protocol.If you wish can use
Hi Ruchira,
Yes, I need recommendation on how to secure all the REST API endpoints.
Currently publisher app use both HTTP and HTTPS. Since, publisher should be
secured I think we need to disable serving pages/apis in HTTP. In that way
these REST endpoints also will be only HTTPS enabled as they
Hi all,
I have implemented ES Publisher REST API in order to access and perform
CRUD operations on ES -BackOffice.
Each endpoint is authenticated by a valid Session-ID, passed to the
endpoint in request header.
In-order to obtain a session-ID we have implemented a separate authenticate
REST
On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka aye...@wso2.com
wrote:
Hi all,
I have implemented ES Publisher REST API in order to access and perform
CRUD operations on ES -BackOffice.
Each endpoint is authenticated by a valid Session-ID, passed to the
endpoint in request header.
12 matches
Mail list logo