As per the @Bhathiya, we can separate the IDP and KeyManager interfaces
separately. With current state, it's possible to plug a third-party key
manager without affecting to REST API security.

On Thu, Feb 22, 2018 at 6:15 PM, Pubudu Gunatilaka <pubu...@wso2.com> wrote:

> Hi Harsha,
>
> On Thu, Feb 22, 2018 at 5:33 PM, Harsha Kumara <hars...@wso2.com> wrote:
>
>> Hi All,
>>
>> This is to discuss the security of REST APIs exposed from carbon-auth and
>> carbon-apimgt components. We are mainly using OAuth as primary protection
>> for the REST APIs and scopes are used as the authorization purposes.
>> Currently following APIs are exposed from the components lies in these two
>> main repositories.
>>
>> *carbon-apimgt*
>>
>> Protected APIs with OAuth
>> -  /api/am/publisher/v1.0 - Publisher REST APIs
>> -  /api/am/store/v1.0  - Store REST APIs
>> - /api/am/admin/v1.0 - Admin REST APIs
>> - /api/am/analytics/v1.0 - Analytic REST APIs
>>
>>
> We have another REST API called core API (/api/am/core/v1.0) which is for
> internal server communications. This is planned to secure by mutual ssl.
>
> Thank you!
> --
> *Pubudu Gunatilaka*
> Committer and PMC Member - Apache Stratos
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> mobile : +94774078049 <%2B94772207163>
>
>


-- 
Harsha Kumara
Software Engineer, WSO2 Inc.
Mobile: +94775505618
Blog:harshcreationz.blogspot.com
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to