Hi All, During the API Manager Key Manager separation, we identified that we will need to authenticate to identity components as signed in user instead of admin user which is pre-configured in api-manager configuration.
For example, Lets say we have two users called subscriber1 and subscriber2. When creating OAuth Applications we have to call Oauth Admin Service as particular user so that, this user can retrieve his/her applications only. For this purpose we are facing two issues. 1) User has to sign in to Identity side admin services with basic authentication (using username and password). But password is not available in API store for this requirement. 2) User has to have permissions defined for particular admin service. In this case user need to have "/permission/admin/manage" permission to access OAuth Admin Service. As a solution for the first issue we can use mutual-auth, so that identity server(Key Manager) can trust API store when accessing admin services. For the second problem, one option we identified is changing permission required for OAuth Admin Service. So from API Manager side we can give that required permission to API store users (users who has subscriber role). For this we will need to patch IS component to achieve this requirement. Please let us know if you have any concerns/thoughts about this. Thank You. Ranga. -- Ranga Siriwardena Software Engineer WSO2 Inc.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
