Hi Ishara IMO going forward it would be beneficial to stick to swagger standard it self to capture scopes in the API Definition. For that we can use a default security definition ie. "apim_default".
And if we look at the roles used in scope it is not part of the API definition or OAuth it is actually an authorization information for token API. As I see we have two options one is to use a vendor extension attribute ie "x-scope-roles" and make it a part of API definition or we can use a different config to pass that data. Also I would like to raise another problem that we have which is not being able to use the same scope key in two APIs which is somewhat limiting. Thanks & Regards Jo On Mon, Nov 7, 2016 at 1:53 PM, Malintha Amarasinghe <[email protected]> wrote: > Hi Ishara, > > On Mon, Nov 7, 2016 at 1:24 PM, Ishara Cooray <[email protected]> wrote: > >> Hi, >> >> According to the current APIM 2.0 implementation it supports Swagger 2.0 >> yet using the old custom security definition >> *x-wso2-security* >> Swagger 2.0 we can use a declaration of the security schemes as below. >> >> api_key: >> type: apiKey >> name: api_key >> in: headerpetstore_auth: >> type: oauth2 >> authorizationUrl: http://swagger.io/api/oauth/dialog >> flow: implicit >> scopes: >> write:pets: modify pets in your account >> read:pets: read your pets >> >> But this *does not have* the support for *roles* as we do in custom >> security definition *x-wso2-security *as below. >> x-wso2-security: >> apim: >> x-wso2-scopes: >> - description: "" >> roles: admin >> name: apim:api_view >> key: apim:api_view >> >> According to the current REST API scope validation implementation [1] it >> only validates scopes but not roles. >> > AFAIU we should do role validation at the time a user getting an access > token for a particular scope invoking /token API? So at REST API level > scope validation will be enough. > > >> So for C5 what could be the definition to supported? >> I think we can drop *x-wso2-security *and stick to Swagger OOTB support >> but again there should be a custom way to support roles. >> >> Or shall we continue to use *x-wso2-security *until Swagger OOTB support >> for roles? >> >> Appreciate your input on this. >> >> >> [1] https://github.com/wso2/carbon-apimgt/blob/master/components >> /apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/ >> java/org/wso2/carbon/apimgt/rest/api/util/impl/WebAppAuthe >> nticatorImpl.java >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Malintha Amarasinghe > Software Engineer > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- -- *Joseph Fonseka* WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 772 512 430 skype: jpfonseka * <http://lk.linkedin.com/in/rumeshbandara>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
