Hi, Are we securing event simulator apis as well ? @Damith, yes all APIs will be secured except the authentication API (login/logout)
Instead of only considering OAuth2 should we try to make this configurable ? (if not already so) @Shiro, yes this is configurable, please refer[1] on other modes of configurations. [1] [Architecture] Securing Product Apis and Product artifacts in Stream Processor. On Mon, Oct 30, 2017 at 8:14 PM, Shiro Kulatilake <[email protected]> wrote: > Hi Nivethika, > > Instead of only considering OAuth2 should we try to make this configurable > ? (if not already so) > > Clients using the different APIs might have a preferred way of securing > APIs in an organization and they would want to use the same to access these > APIs also. > > Thank you, > Shiro > > On Mon, Oct 30, 2017 at 8:03 PM, Mohanadarshan Vivekanandalingam < > [email protected]> wrote: > >> >> >> On Mon, Oct 30, 2017 at 12:50 PM, Damith Wickramasinghe <[email protected] >> > wrote: >> >>> Hi Niveathika, >>> >>> Are we securing event simulator apis as well ? >>> >> >> We have to secure that as well. IMO, all the core APIs need to be secured. >> >> Thanks, >> Mohan >> >> >> >>> >>> Regards, >>> Damith >>> >>> On Mon, Oct 30, 2017 at 12:38 PM, Niveathika Rajendran < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> The use case in accessing Stream Processor API's are as follows, >>>> >>>> 1. Dashboard front end APIs >>>> >>>> These are API's which the user users to access dashboards he/she will >>>> create. >>>> >>>> These will be protected by using an Authentication API through which >>>> the access token obtained by the login will be split into 2 and saved as >>>> cookies. Authentication API will act as a proxy for the IdPClient OSGi >>>> service. >>>> >>>> 2. Dashboard back end API's >>>> >>>> These will use the IdPClient OSGi service to get the access tokens >>>> using client credential grant type which can be used to access other API's >>>> with Bearer authorization headers. >>>> >>>> >>>> 2. Databridge >>>> >>>> Here, the data bridge authentication is only done through basic >>>> authentication. Oauth2 token validation is mocked through passing token >>>> requests using password grant type. This is because the events will be sent >>>> with Basic authorization headers and not with Bearer headers >>>> >>>> >>>> For more info in SP IdP integration please refer[1]. >>>> >>>> @Identity-Team, Could you provide feedback on the mechanisms used in >>>> securing API's. >>>> >>>> [1] [Architecture] Securing Product Apis and Product artifacts in >>>> Stream Processor >>>> >>>> -- >>>> Best Regards, >>>> *Niveathika Rajendran,* >>>> *Software Engineer.* >>>> *Mobile : +94 077 903 7536 <+94%2077%20903%207536>* >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "WSO2 Engineering Group" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> lean.enterprise.middleware >>> >>> mobile: *+94728671315 <+94%2072%20867%201315>* >>> >>> >> >> >> -- >> *V. Mohanadarshan* >> *Technical Lead,* >> *Data Technologies Team,* >> *WSO2, Inc. http://wso2.com <http://wso2.com> * >> *lean.enterprise.middleware.* >> >> email: [email protected] >> phone:(+94) 771117673 <077%20111%207673> >> > > > > -- > > > *Shiroshica Kulatilake | Director, Solutions Architecture, WSO2 Inc.+94 > 776523867 <+94%2077%20652%203867> * > -- Best Regards, *Niveathika Rajendran,* *Software Engineer.* *Mobile : +94 077 903 7536*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
