As per the @Bhathiya, we can separate the IDP and KeyManager interfaces separately. With current state, it's possible to plug a third-party key manager without affecting to REST API security.
On Thu, Feb 22, 2018 at 6:15 PM, Pubudu Gunatilaka <[email protected]> wrote: > Hi Harsha, > > On Thu, Feb 22, 2018 at 5:33 PM, Harsha Kumara <[email protected]> wrote: > >> Hi All, >> >> This is to discuss the security of REST APIs exposed from carbon-auth and >> carbon-apimgt components. We are mainly using OAuth as primary protection >> for the REST APIs and scopes are used as the authorization purposes. >> Currently following APIs are exposed from the components lies in these two >> main repositories. >> >> *carbon-apimgt* >> >> Protected APIs with OAuth >> - /api/am/publisher/v1.0 - Publisher REST APIs >> - /api/am/store/v1.0 - Store REST APIs >> - /api/am/admin/v1.0 - Admin REST APIs >> - /api/am/analytics/v1.0 - Analytic REST APIs >> >> > We have another REST API called core API (/api/am/core/v1.0) which is for > internal server communications. This is planned to secure by mutual ssl. > > Thank you! > -- > *Pubudu Gunatilaka* > Committer and PMC Member - Apache Stratos > Senior Software Engineer > WSO2, Inc.: http://wso2.com > mobile : +94774078049 <%2B94772207163> > > -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
