On Friday, September 11, 2015, Manjula Rathnayake <[email protected]> wrote:
> Hi all, > > Above REST APIs are secured with username/password login. But there are > scenarios, where client(AF or any other server) do not have the password of > the user to login and invoke these APIs. One mechanism introduced was to > make use of SAML token of the logged in user of AF(another server) to > authenticate to REST APIs and invoke. > > We recently faced another issue with above SAML token based login approach > when we test the REST APIs with curl, http clients etc because we do not > have the password of the user or the SAML token of the user. > > So we need to allow clients to choose different authentication mechanism > based on different requirements. One such requirement is to authenticate on > behalf of another user(say on behalf on currently logged in user to one > server). To provide this requirement, we need to introduce new login method > similar to login(username, password), loginWithSAMLToken(token) as > loginWthSignedJWTToken(token) etc. > > Do we have another authentication mechanism implemented for REST APIs > similar to Carbon authenticators? As a quick fix, we can include above > method and get it done, But we need to come up with a proper > authentication mechanism, where we can configure multiple authentication > options etc for REST APIs. WDYT? > +1. Apart from the ones shipped with the product, currently the capability is not there to plug in a new authenticator for REST APIs. IIRC, while doing the Key Manager separation, a new authentication method was provided to sign in using an id_token.But not sure to what extent this would be helpful for your scenario. > thank you. > > -- > Manjula Rathnayaka > Associate Technical Lead > WSO2, Inc. > Mobile:+94 77 743 1987 >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
