Re: [Architecture] API manager support for secured backend services

Sat, 17 Aug 2013 23:15:47 -0700 

*Supported:*
Out of the box support from API Publisher is HTTP Basic Auth (over SSL).
This results following being added to HTTP Header going to backend service.

<property name="Authorization" expression="fn:concat('Basic ',
base64Encode('user1:password1'))" scope="transport"/>

*TODO:*
In the case of using hardcoded OAuth2 token (BEARER token) to access
backend, we can follow the same approach above. It's just a matter of
setting the correct header.

As long as ESB end points supports other scenarios (WS-Security UT, HTTP
Digest, etc), we are supported - but not through API Publisher UI. We had
the same argument on supporting different endpoint types (eg: FO, LB,..)
through API Publisher UI.


But OAuth has more interesting scenarios to support.
eg:
API Manager providing a single OAuth2 token to access multiple OAuth2
secured endpoints (Acting as a Key Proxy). Here also we can hardcode OAuth2
tokens for external secured endpoints.

There are several extension points (moving away from hardcoded tokens) to
this one that can be converted to key features.
eg:
- Maintaining key profiles per proxy key issued by API Manager
- Dealing with expired tokens (for external OAuth2 tokens)
- Moving away from hardcoded tokens to programmatically obtaining them
given the token endpoint for external APIs

Simply offering Key (OAuth2) Management capabilities for all external APIs
being used by an org.


Supporting SAML is also an option. But IMO OAuth scenarios are more
priority.




On Sun, Aug 18, 2013 at 12:01 AM, Sanjiva Weerawarana <[email protected]>wrote:

> Guys what have we done for secured backend services so far? Which of these
> do we support:
>
> - HTTP Basic Auth
> - OAuth
> - HTTP Digest Auth
> - WS-Sec UT
> - WS-Sec whatever the other thing is
> - what else?
>
> Given the requirement pretty much on the ESB what else do we need to
> support?
>
> Sanjiva.
> --
> Sanjiva Weerawarana, Ph.D.
> Founder, Chairman & CEO; WSO2, Inc.;  http://wso2.com/
> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | +1
> 650 265 8311
> blog: http://sanjiva.weerawarana.org/
>
> Lean . Enterprise . Middleware
>



-- 
/sumedha
b :  bit.ly/sumedha

_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to