On Mon, Feb 23, 2015 at 5:43 PM, Ranga Siriwardena <[email protected]> wrote:
> Hi All, > > During the API Manager Key Manager separation, we identified that we will > need to authenticate to identity components as signed in user instead of > admin user which is pre-configured in api-manager configuration. > > For example, Lets say we have two users called subscriber1 and > subscriber2. When creating OAuth Applications we have to call Oauth Admin > Service as particular user so that, this user can retrieve his/her > applications only. For this purpose we are facing two issues. > > 1) User has to sign in to Identity side admin services with basic > authentication (using username and password). But password is not available > in API store for this requirement. > > 2) User has to have permissions defined for particular admin service. In > this case user need to have "/permission/admin/manage" permission to access > OAuth Admin Service. > > > As a solution for the first issue we can use mutual-auth, so that identity > server(Key Manager) can trust API store when accessing admin services. > > For the second problem, one option we identified is changing permission > required for OAuth Admin Service. So from API Manager side we can give that > required permission to API store users (users who has subscriber role). For > this we will need to patch IS component to achieve this requirement. > I think mutual SSL will resolve 1st issue as ranga mentioned. For second issue we may create new service with only operations required to non admin users and associate loose set of permissions to it (i didnt looked at operations in service but assume there are some admin operations and non admin operations) Thanks, sanjeewa. > > Please let us know if you have any concerns/thoughts about this. > > Thank You. > Ranga. > > -- > Ranga Siriwardena > Software Engineer > WSO2 Inc. > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
