Hi,
This is related to the API manager integration with EMM. To describe more
on the usecase we are trying to protect some of the EMM APIs (for now only
Android) using API manager. For this we have included the API manager
features to EMM pack along with the publisher and API store Jaggery apps.
We have discussed 2 approaches on this in Dev [1] other than the approach
discussed in [2]. After discussing with Shan we are going ahead with the
approach 1 which is discussed in thread [1]. Which is to have one consumer
key and consumer secret for super tenant space and make it available for
all other tenant. So at any time an EMM server instance will only contain
one consumer key and a consumer secret.
While progressing in the development I have faced some issues. Which needs
to be clearly defined and addressed.
Since above APIs are Android related these should be published and
subscribed in advance. What I was asked to do is to automatically publish
and subscribe APIs into the API manager. After disusing with Sumedha we
thought of doing it using API manager REST api.
In order to publish I went through the publisher APIs which appear in API
manager doc[3]. This requires login to the system in advance. I looked in
to the API manager code on this. As an example if you look at add publisher
API at location publisher/site/blocks/item-add/ajax/add.jag this has a
validation to check the current user (session.get("logged.user")). So it
fails from this point. I see following issues on this.
1) API manager does not accept a SAML token hence we need to call the login
url first to get a valid session in API publisher. Is there any way we can
achieve this?
2) If we are to call the login API of API manager we should keep the
username or password in some place like configuration file. I know
AppFactory do this where they keep admin credentials in appfactory.xml for
the purpose of WSRequests. Is it ok to follow something like this?
3) If we keep username and password in a configuration file it should be
super admin credentials since we need to publish/subscribe using that
account to be available for all other users. What if someone change the
credentials from carbon console before logging into EMM?
4) Not sure whether there is Jaggery listeners for context initialization
as in servlet spec (I know they have implemented listeners for session
though). Otherwise have to publish/subscribe these at first time login
which is bit non standard way of doing things.
5) Since we have one consumer key and secret if it is compromised how do we
revoke it? How does mobile apps adhere to this change since it stores these
in sandbox securely at the first time. I believe dynamic consumer
key/secret generation minimize this issue and it affect only to minimal set
of devices rather than all the devices in the system.
Let me know your thoughts on these.
[1] - [Dev]Securing the APIs on EMM in multi tenant environment
[2] - [Dev]EMM OAuth Implementation - Android - Storing Consumer Secret
[3] - https://docs.wso2.org/display/AM170/Publisher+APIs
Regards,
Dilshan
--
Dilshan Edirisuriya
Senior Software Engineer - WSO2
Mob: + 94 777878905
http://wso2.com/
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
