IMO storing username and password is not the recommended way. So +1 for oauth security. May be we can have both oauth and basic auth if needed. But if these endpoints are for third party developers who will write some client code using it I think oauth is the best way.
Thanks & Regards Danushka Fernando Software Engineer WSO2 inc. http://wso2.com/ Mobile : +94716332729 On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage <[email protected]> wrote: > Hi, > > The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM > endpoint is one example. > > If BasicAuth used, client side might have to store the username/password. > > If OAuth used, and the API is accessed via a browser, user can be > redirected to the authorization Server to get authenticated, which removes > the risk of having user credentials at client side. > > In either way, SSL should be used to avoid Man-in-the-middle attacks > > Hope this helps. > > Thanks > Dulanja > > On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <[email protected]> > wrote: > >> Hi all, >> >> I have implemented ES Publisher REST API in order to access and perform >> CRUD operations on ES -BackOffice. >> >> Each endpoint is authenticated by a valid Session-ID, passed to the >> endpoint in request header. >> >> In-order to obtain a session-ID we have implemented a separate >> authenticate REST endpoint. A user can send username and password in the >> POST request to this endpoint and if credentials are valid a session-id >> will be returned. >> >> Currently, no encryption or other (basic-aouth/aouth) authorization >> mechanism is yet implemented. >> >> What would be the lightweight and best way to secure this >> 'authentication' endpoint? Is there a particular wso2 way of doing this? >> >> Thanks! >> - Ayesha >> >> -- >> *Ayesha Dissanayaka* >> Software Engineer, >> WSO2, Inc : http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >> 20, Palmgrove Avenue, Colombo 3 >> E-Mail: [email protected] <[email protected]> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Dulanja Liyanage > WSO2 Inc. > M: +94776764717 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
