Re: [Architecture] [X509 Authenticator] Certificate Revocation Verification with CRL and OCSP

Hi, On Wed, Jan 10, 2018 at 12:24 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > > On Wed, Jan 3, 2018 at 6:05 PM, Asela Pathberiya wrote: > >> >> >> On Fri, Dec 15, 2017 at 10:11 AM, Darshana Gunawardana > > wrote: >> >>> >>> >>> On Fri,

Re: [Architecture] Scope Registration API for carbon-auth

HI Malintha, On Wed, Jan 10, 2018 at 11:28 AM, Malintha Amarasinghe wrote: > Hi Ishara, > > I am wondering whether it is possible to use OAuth to protect this because > this itself is actually part of OAuth APIs' implementation. Shall we have a > quick chat about this

Re: [Architecture] Scope Registration API for carbon-auth

Authentication mechanism can be different based on the scenario. For an example if we think of API Manager usecase then actual end user will not register scopes on behalf of him. Instead of he will make API creation request and API core will initiate registration flow with scope registration API.

Re: [Architecture] Scope Registration API for carbon-auth

Hi Ishara, I am wondering whether it is possible to use OAuth to protect this because this itself is actually part of OAuth APIs' implementation. Shall we have a quick chat about this today/tomorrow? Thanks! On Tue, Jan 9, 2018 at 3:18 PM, Ishara Karunarathna wrote: > Hi

Re: [Architecture] OpenAPI 3.0 support for API Manager 2.2.0

Hi Roshan, On Wed, Jan 10, 2018 at 4:55 AM, roshan wijesena wrote: > Folks, > > Do we have a significant difference between swagger and openAPI? According > to the https://swagger.io/blog/difference-between-swagger-and-openapi/, > swagger is a tool and openAPI is the spec

Re: [Architecture] OpenAPI 3.0 support for API Manager 2.2.0

Folks, Do we have a significant difference between swagger and openAPI? According to the https://swagger.io/blog/difference-between-swagger-and-openapi/, swagger is a tool and openAPI is the spec it self. Do we need to concern about swagger definition vs openAPI definition, rather versions of

Re: [Architecture] OpenAPI 3.0 support for API Manager 2.2.0

On Tue, Jan 9, 2018 at 10:57 AM, Thilini Shanika wrote: > @Bhathiya, > > Our initial plan was to provide an advanced option for developers to > decide the version(Whether in Swagger 2.0 or OpenAPI 3.0) of the > generating swagger definition, but later we decided to stick to

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi all, As I discussed with Isuru, There are some possible approaches to overcome the issue. 1. Create a new pass through pipe. - The data will be written to the pipe by a spawned thread and current thread will be consuming the data and continuing the message flow. We went through the pipe

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi All, I am ok as long as we are invoking a method and not copying. thanks, Dimuthu On Tue, Jan 9, 2018 at 4:41 PM, Isuru Udana wrote: > Hi Hasunie, > > As we discussed, setting the PassThroughConstants.BUFFERED_INPUT_STREAM > has no effect on the flow in this case and

Re: [Architecture] Decoupling Client Authentication from OAuth2 Flow

We have had several discussions with the objective of making these logics more reusable. One of the ideas was to use our carbon-auth-rest valve to authenticate client. Since it has below concerns and gaps we thought of implementing these authenticators as CXF interceptors. 1) Current

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Hasunie, As we discussed, setting the PassThroughConstants.BUFFERED_INPUT_STREAM has no effect on the flow in this case and Passthough Sender still seek content from the original input stream which got empty due to this cloning logic. That's the reason for this behaviour. Thanks. On Tue,

[Architecture] [APIM][C5] Multi-Environment API Overview Feature

Hi All, We are planning to implement a feature that enables the users to get the Multi-Environment API Overview of APIs that they are managing across multi environments. Please refer the GitHub issue[1]. Appreciate any suggestions and comment on the Github issue about your suggestions. [1]

Re: [Architecture] Scope Registration API for carbon-auth

Hi Malintha, On Tue, Jan 9, 2018 at 2:19 PM, Malintha Amarasinghe wrote: > Hi Ishara, > > Thanks for the info. > > So basically we can consider scope name as unique so we can use the same > to represent the scope ID as well. > > @Sanjeewa, +1 to use scope name for below

Re: [Architecture] Secure MQTT Receiver for DAS

Hi all, I have tested whether we can create secure mqtt connection with DAS 3.1.0. While configuring I got the error [1], then I set up secure transport for MQTT Mosquito broker with SSL/TSL as in [3]. After the above configeration, then I faced the issue [2]. So, I have validated the

Re: [Architecture] Scope Registration API for carbon-auth

Hi Ishara, Thanks for the info. So basically we can consider scope name as unique so we can use the same to represent the scope ID as well. @Sanjeewa, +1 to use scope name for below resources: GET|PUT|DELETE /scopes/{name} Regarding permissions, I think can use Basic auth with some

Re: [Architecture] [APIM][C5] Multi-Environment API Overview Feature

Hi Pubudu, Details are in the github issue. It is not about API Implementation level diff. It is showing overview of how APIs are deployed in different environments. Eg. What are the APIs, API version, Lifecycle state in dev, test, prod environment etc. It is API management overview across multi