Hi Colin, Thanks for bringing this concern up. In fact at the moment when we call to the admin service to fetch oAuth clients details by consumer key, we are internally passing user name too. Hence the ability of abusing the consumer key is minimum. However, we understood as an additional security feature its far better to accept the consumer secret also. We will add a new text-box to accept consumer secret via UI. Then we can do the back end validation against the consumer secret too.
Thanks. Regards Roshan. On Wed, Mar 11, 2015 at 12:37 AM, Colin Roy-Ehri <[email protected]> wrote: > Hi Roshan, > > I think this is an awesome new feature. +1 > > I see a small security concern with associating an OAuth client only with > the consumer key. If they use the consumer key, they will then be able to > view the consumer secret. This could be abused as a way to fetch the > secret key. Perhaps both consumer key and secret should be necessary when > tying a new app to existing OAuth client. Alternately, you could obscure > the secret for apps created like this (but that would require deeper > modification). > > Cheers, > Colin Roy-Ehri > Software Engineer > *WSO2, Inc. : wso2.com <http://wso2.com/>* > *Mobile* : 812-219-6517 > > On Tue, Mar 10, 2015 at 12:59 AM, Roshan Wijesena <[email protected]> wrote: > >> Hi Isabelle, >> >> We could see possible two use cases as below, >> >> First, let say, a person uses an external authorization server and it >> contains already created oauth clients. Assume that user might want to >> use wso2 API manager with that particular authorization server, as a key >> manager. In that case If he/she wants to associate already existing oauth >> clients with API manager applications, there should be a way to do it. >> >> Second, there might be a situation where a user wants to create Oauth >> clients in their authorization server manually, (for example by using an >> API, Dynamic client registration API in OpenID connect). Then later user >> logging in to APIM and create an APIM application and instead of creating >> a new oAuth client he/she should be able to associate that manually >> created Oauth client with the API manager application. >> >> Both of the above use cases are more or less the same. The basic idea of >> this feature is, the store user will be given an opportunity to associate >> their manually created oAuth clients with API manager. >> >> Hi NuwanD, >> >> Yes,If they disable this feature from the config file it will only show >> the 'Generate' button. And these options are available for both production >> and sandbox environments. >> >> Regards >> Roshan. >> >> >> On Mon, Mar 9, 2015 at 7:39 PM, Nuwan Dias <[email protected]> wrote: >> >>> >>> >>> On Mon, Mar 9, 2015 at 6:21 PM, Isabelle Mauny <[email protected]> >>> wrote: >>> >>>> I am not clear who the target user is or what the use case is. Can you >>>> share that please ? >>>> >>>> Isabelle. >>>> >>>> >>>> ------------------------------------------------------------------------------------- >>>> *Isabelle Mauny* >>>> VP, Product Management - WSO2, Inc. - http://wso2.com/ >>>> >>>> >>>> On Fri, Mar 6, 2015 at 5:08 PM, Roshan Wijesena <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> When providing the capability to plug in an External Authorization >>>>> Server for managing tokens and clients, a need may also arise to associate >>>>> already existing Oauth clients with Applications created in API Manager. >>>>> >>>>> We are working on a solution to cater the above requirement. When >>>>> users log in to the store and navigate to the subscription page, they can >>>>> decide whether they want to an entirely new OAuth client or associate an >>>>> existing OAuth client with the Application in APIM side. Users can >>>>> associate an existing Oauth App by enabling a check box. If they check the >>>>> option, they will be given a text box to enter the consumer key of the >>>>> oAuth client. Once users click on generate button we will create a new >>>>> mapping for that consumer key with the API Manager application. >>>>> >>>>> If someone wants to disable this feature completely they can turn it >>>>> off by changing a config setting from api-manger.xml config file. >>>>> >>>> >>> So if they disable it we will only show the 'Generate' button? Also, >>> these options are enabled for both 'Production' and 'Sandbox' as well >>> right? >>> >>>> >>>>> Regards >>>>> Roshan. >>>>> >>>>> -- >>>>> Roshan Wijesena. >>>>> Senior Software Engineer-WSO2 Inc. >>>>> Mobile: *+94719154640 <%2B94719154640>* >>>>> Email: [email protected] >>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>> lean.enterprise.middleware. >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Associate Tech Lead - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Roshan Wijesena. >> Senior Software Engineer-WSO2 Inc. >> Mobile: *+94719154640 <%2B94719154640>* >> Email: [email protected] >> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >> lean.enterprise.middleware. >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Roshan Wijesena. Senior Software Engineer-WSO2 Inc. Mobile: *+94719154640 <%2B94719154640>* Email: [email protected] *WSO2, Inc. :** wso2.com <http://wso2.com/>* lean.enterprise.middleware.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
