Correcting groups On Tue, Jul 23, 2019 at 5:15 PM Malintha Amarasinghe <[email protected]> wrote:
> > > On Tue, Jul 23, 2019 at 12:36 PM Dushani Wellappili <[email protected]> > wrote: > >> Hi all, >> >> Following are two use-cases we need to support server-server >> authentication in Publisher/Store REST APIs. >> >> 1. Publishing APIs to external stores >> 2. Workflow completions requests sent by external workflow engines >> >> In both of the above cases, the user who is invoking the service is >> useful when initializing the specific tenant context. In the previous >> versions, the above were handled via Jaggery APIs using basic >> authentication. Support handling the above via REST APIs using OAuth2 seems >> complex, as we need to consider the token expiration, token persistence >> aspects well. Hence following are two other options we could see to cater >> the requirement. >> >> >> 1. Support mutual SSL >> >> The username will be sent in the same SSL call as a header. We need to >> write a separate interceptor to do the mutual SSL authentication and in the >> same flow, to support the scope validation as similarly to OAuth2, we need >> to validate the roles of the user sent in the header against the roles in >> the scope of the specific resource. >> > > If we support mutual SSL we need to do it during the intercepter flow, > where we might need to initiate an SSL re-negotiation flow. This might be a > bit complicated > > >> >> 2. Support basic authentication >> >> Similar to a mutual SSL approach, we need to write a separate interceptor >> to authenticate the user via basic authentication and then validate the >> roles of that user against the roles attached to the relevant resource >> scope. >> >> Appreciate your suggestions on deciding the best approach to go ahead. >> > > I think this is the most viable option. We'll need to decide whether we > should only allow basic auth only for a subset of resources or all > resources. If we go with the subset of resources, we can define that in the > REST API swagger with a new security method. If that is present in the > resource only, the basic authentication handler will engage in. > > Or we can simply support Basic auth for all the resources. This will > simplify other future uses as well. But, the client needs to wisely choose > between OAuth and basic auth based on the use case and security > requirements. > > Thanks! > Malintha > > >> >> Thanks >> >> *Dushani Wellappili* >> Software Engineer - WSO2 >> >> Email : [email protected] >> Mobile : +94779367571 >> Web : https://wso2.com/ >> >> >> > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- Malintha Amarasinghe *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
