Hi Sanjeewa, Currently the key validation is done inside OAuthAuthenticator. what i’m planning to do is to get the key from query parameter if key is not available in the Authentication Header.
regards On Mon, Nov 24, 2014 at 2:12 PM, Sanjeewa Malalgoda <[email protected]> wrote: > IMO we should add configuration to key validation entry point (in gateway > authentication handler). With this configuration we should be able to > decide token accept as query param, transport header or both. If query > param authentication header enabled only we will retrieve token from query > params. Otherwise we will be looking at transport headers. Or we may be > able to look at both(transport header, query parameter) according to > defined order. WDYT? > > Thanks, > sanjeewa. > > On Mon, Nov 24, 2014 at 11:40 AM, Nuwan Dias <[email protected]> wrote: > >> In general, it is understood that it is bad practice. But its mentioned >> in the OAuth 2.0 spec, so IMO as a product we should support it but mention >> implications on the docs clearly. >> >> In scenarios where the communication between the client and server are >> guaranteed to be safe, its ok to pass the information in the url IMO. Ex: >> For systems communicating internally only. With the IoT stuff building up, >> I presume there could be more valid uses of this. >> >> Thanks, >> NuwanD. >> >> On Mon, Nov 24, 2014 at 11:33 AM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> >>> >>>> >>>> On Sat, Nov 22, 2014 at 12:50 PM, Harsha Kumara <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> As Johann mentioned, if the specification defined sending token as the >>>>> query param, we needs to support it and implement as specification >>>>> specified. But again the user who going to use it needs to know aware of >>>>> the security issues cause by using token as query param. Also the >>>>> specification specified that it's discourage to use this approach. IMO If >>>>> we support it, we shouldn't use in our products unless if there is any >>>>> specific reason. >>>>> >>>> >>> What would be the particular use case to send access token in query >>> String. This is a bad practice according to many real world use cases [1]. >>> >>> [1] >>> http://www.thread-safe.com/2013/10/latest-facebook-security-vulnerability.html >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Nuwan Dias >> >> Associate Tech Lead - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/ > <http://sanjeewamalalgoda.blogspot.com/> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Sam Sivayogam* Software Engineer Mobile : +94 772 906 439 Office : +94 112 145 345 *WSO2, Inc. :** wso2.com <http://wso2.com/>* lean.enterprise.middleware.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
