Hi All, I agree with Nuwans points to use OAuth to secure the product APIs. But My suggestion is to keep OAuth as the default security model and allow the capability to plug other authentication and authorization mechanism to secure Product APIs. We can ship. OAuth2, Mutual SSL, Basic Auth and configure OAuth as the default mechanism.
-Ishara On Mon, Jan 16, 2017 at 9:43 AM, Nuwan Dias <nuw...@wso2.com> wrote: > > > On Mon, Jan 16, 2017 at 9:38 AM, Bhathiya Jayasekara <bhath...@wso2.com> > wrote: > >> Hi all, >> >> I'd like to add another related concern here. There can be internal APIs >> (server to server) which may not be exposed to the outside. For example, >> context loading and subscription loading APIs between API Gateway and API >> Core. For them, I don't think we need OAuth or any kind of authorization >> mechanism because it simply needs some kind of authentication mechanism >> only. I believe we can use mutual SSL for this. But since these APIs are >> msf4j services, we will need per-service mutual SSL support from msf4j. >> > > Yes, that makes sense. I don't think we should categorize those as product > APIs since they're meant for internal components of the product to > communicate with each other. > >> >> Thanks, >> Bhathiya >> > > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 <+94%2077%20777%205729> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture