Hi Gayan, What are you trying to achieve by moving the client-secret validation logic to the interceptor from the jax-rs layer? Since both run on the same JVM, doesn't the overhead of the process remain the same, irrespective of where it runs?
Thanks, NuwanD. On Tue, Apr 25, 2017 at 12:27 PM, Gayan Gunawardana <[email protected]> wrote: > Hi All, > > In Oauth /token endpoint and /revoke endpoint > > https://localhost:9443/oauth2/token > https://localhost:9443/oauth2/revoke > > required authorization with client key, client secret in basic auth > headers. Currently in implementation we validate those headers after > serving request to JAX-RS endpoints. Basically /token, /revoke endpoints > are unsecured. There is significant amount of processing happen even for > wrong client secret. > > Since we have REST API interceptor layer In IS 5.3.0 can we use it to > validate client credentials ? We may need to plug an additional > authenticator to validate client key, client secret in basic auth headers. > This authenticator may conflict with basic authenticator because both > authenticators validate basic auth credentials different way. There are two > approaches to avoid the conflict. > > *#option 01 * > Increase the priority of newly added authenticator and check the context > inside authenticator canHandle. > > *#option 01 * > Increase the priority of newly added authenticator and check existence of > oauth application from client key. > > WDYT? > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
