Actually in mutual authenticator we check for the certificate in the header, which will set if only mutual auth is successful. So idea here is since server trust the client, we trust the user. BTW, mutual authenticator have problems with AWS elb. So this won't be able to use in such places. So in AF we went for signed jwt authenticator due to this issue. On Feb 23, 2015 6:00 PM, "Ranga Siriwardena" <[email protected]> wrote:
> With mutual-auth, authentication happens for particular user and user > name is send as a header for authentication. If the client is trusted and > the user is a valid user, then that user is identified as the signed in > user. > > Thank You. > Ranga. > > On Mon, Feb 23, 2015 at 5:52 PM, Nuwan Dias <[email protected]> wrote: > >> >> >> On Mon, Feb 23, 2015 at 5:43 PM, Ranga Siriwardena <[email protected]> >> wrote: >> >>> Hi All, >>> >>> During the API Manager Key Manager separation, we identified that we >>> will need to authenticate to identity components as signed in user instead >>> of admin user which is pre-configured in api-manager configuration. >>> >>> For example, Lets say we have two users called subscriber1 and >>> subscriber2. When creating OAuth Applications we have to call Oauth Admin >>> Service as particular user so that, this user can retrieve his/her >>> applications only. For this purpose we are facing two issues. >>> >>> 1) User has to sign in to Identity side admin services with basic >>> authentication (using username and password). But password is not available >>> in API store for this requirement. >>> >>> 2) User has to have permissions defined for particular admin service. In >>> this case user need to have "/permission/admin/manage" permission to access >>> OAuth Admin Service. >>> >>> >>> As a solution for the first issue we can use mutual-auth, so that >>> identity server(Key Manager) can trust API store when accessing admin >>> services. >>> >> >> How does mutul-auth solve this problem? Say 'ranga' logs into the Store, >> how does the Store ask the admin service to fetch ranga's OAuth apps only? >> >>> >>> For the second problem, one option we identified is changing permission >>> required for OAuth Admin Service. So from API Manager side we can give that >>> required permission to API store users (users who has subscriber role). For >>> this we will need to patch IS component to achieve this requirement. >>> >>> Please let us know if you have any concerns/thoughts about this. >>> >>> Thank You. >>> Ranga. >>> >>> -- >>> Ranga Siriwardena >>> Software Engineer >>> WSO2 Inc. >>> >> >> >> >> -- >> Nuwan Dias >> >> Associate Tech Lead - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 >> > > > > -- > Ranga Siriwardena > Software Engineer > Mobile: +94779808031 > WSO2 Inc. > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
