If we separate out requirements for auth manager and key manager then it will be easy to manage and maintain.
Auth Manager - By default lightweight auth manager or WSO2 identity server. This will use to secure REST APIs(in lightweight auth manager primarily). API Manager rest APIs will also need to authenticate with implementation of this interface. Implementation can be lightweight auth framework or full identity server. This will have all communications with SCIM, User Info, OAuth etc. Key Manager - This can be lightweight auth manager, WSO2 Identity server or any other oauth service provider which exposes API to communicate with. >From API manager side we will need to implement key manager interface and it will be used by store and gateway. This will handle only oauth 2 related tasks. - Store - To show token and application data. - Gateway - to implement introspection call. Any thoughts? Thanks, sanjeewa. On Fri, Feb 23, 2018 at 1:34 PM, Nuwan Dias <nuw...@wso2.com> wrote: > IMO we will need to have two interceptor layers. One for the carbon-apimgt > repo and another for the carbon-auth repo. The interceptor in the > carbon-apimgt layer will have to solely rely on the KeyManager interface. > The default implementation of the KeyManager interface will have to rely on > the functionalities offered by the authenticators in the carbon-auth repo. > The interceptors in the carbon-auth repo will solely rely on the > authenticators in its own repo. It'll be only the authenticators that will > know how to create and validate keys and tokens. > > On Fri, Feb 23, 2018 at 1:04 PM, Harsha Kumara <hars...@wso2.com> wrote: > >> As per the @Bhathiya, we can separate the IDP and KeyManager interfaces >> separately. With current state, it's possible to plug a third-party key >> manager without affecting to REST API security. >> >> On Thu, Feb 22, 2018 at 6:15 PM, Pubudu Gunatilaka <pubu...@wso2.com> >> wrote: >> >>> Hi Harsha, >>> >>> On Thu, Feb 22, 2018 at 5:33 PM, Harsha Kumara <hars...@wso2.com> wrote: >>> >>>> Hi All, >>>> >>>> This is to discuss the security of REST APIs exposed from carbon-auth >>>> and carbon-apimgt components. We are mainly using OAuth as primary >>>> protection for the REST APIs and scopes are used as the authorization >>>> purposes. Currently following APIs are exposed from the components lies in >>>> these two main repositories. >>>> >>>> *carbon-apimgt* >>>> >>>> Protected APIs with OAuth >>>> - /api/am/publisher/v1.0 - Publisher REST APIs >>>> - /api/am/store/v1.0 - Store REST APIs >>>> - /api/am/admin/v1.0 - Admin REST APIs >>>> - /api/am/analytics/v1.0 - Analytic REST APIs >>>> >>>> >>> We have another REST API called core API (/api/am/core/v1.0) which is >>> for internal server communications. This is planned to secure by mutual ssl. >>> >>> Thank you! >>> -- >>> *Pubudu Gunatilaka* >>> Committer and PMC Member - Apache Stratos >>> Senior Software Engineer >>> WSO2, Inc.: http://wso2.com >>> mobile : +94774078049 <%2B94772207163> >>> >>> >> >> >> -- >> Harsha Kumara >> Software Engineer, WSO2 Inc. >> Mobile: +94775505618 <+94%2077%20550%205618> >> Blog:harshcreationz.blogspot.com >> > > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 <077%20777%205729> > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
