With mutual-auth, authentication happens for particular user and user name is send as a header for authentication. If the client is trusted and the user is a valid user, then that user is identified as the signed in user.
Thank You. Ranga. On Mon, Feb 23, 2015 at 5:52 PM, Nuwan Dias <[email protected]> wrote: > > > On Mon, Feb 23, 2015 at 5:43 PM, Ranga Siriwardena <[email protected]> wrote: > >> Hi All, >> >> During the API Manager Key Manager separation, we identified that we will >> need to authenticate to identity components as signed in user instead of >> admin user which is pre-configured in api-manager configuration. >> >> For example, Lets say we have two users called subscriber1 and >> subscriber2. When creating OAuth Applications we have to call Oauth Admin >> Service as particular user so that, this user can retrieve his/her >> applications only. For this purpose we are facing two issues. >> >> 1) User has to sign in to Identity side admin services with basic >> authentication (using username and password). But password is not available >> in API store for this requirement. >> >> 2) User has to have permissions defined for particular admin service. In >> this case user need to have "/permission/admin/manage" permission to access >> OAuth Admin Service. >> >> >> As a solution for the first issue we can use mutual-auth, so that >> identity server(Key Manager) can trust API store when accessing admin >> services. >> > > How does mutul-auth solve this problem? Say 'ranga' logs into the Store, > how does the Store ask the admin service to fetch ranga's OAuth apps only? > >> >> For the second problem, one option we identified is changing permission >> required for OAuth Admin Service. So from API Manager side we can give that >> required permission to API store users (users who has subscriber role). For >> this we will need to patch IS component to achieve this requirement. >> >> Please let us know if you have any concerns/thoughts about this. >> >> Thank You. >> Ranga. >> >> -- >> Ranga Siriwardena >> Software Engineer >> WSO2 Inc. >> > > > > -- > Nuwan Dias > > Associate Tech Lead - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > -- Ranga Siriwardena Software Engineer Mobile: +94779808031 WSO2 Inc.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
