Hi Tharindu, On Wed, Apr 15, 2020 at 9:32 AM Tharindu Dharmarathna <[email protected]> wrote:
> Hi Gayan, > For Self containing access tokens it already has the OOTB capability to > validate the token from different token issuers. the Key Management layer > will only use to validate the Reference tokens. > Thanks for the explanation. > > To prefix, the token Generated from Identity providers, they have their > own ways of differentiating the token, in Simple case, we will use the > Regex validation and for other cases. they could write their own validation. > Are there any other options available to avoid Regex validation. Regex validation may introduce few problems 1. Humans are not tend to use Regular expressions. EX: Even for password policy definitions people more like to go with simple definitions like min length, max length than Regex. 2. Pattern matching is a CPU intensive task and might introduce some security vulnerabilities as well. 3. For same set of words different people can come up with different Regular expressions. Also having flexibility to write own validation might introduce some open ended problems for simple requirement. > > Thanks > > On Tue, Apr 14, 2020 at 11:17 PM gayan gunawardana < > [email protected]> wrote: > >> Hi Tharindu, >> >> In #6 Validating the Token, regex validation may work for >> reference access tokens to find corresponding Oauth provider but can we >> utilize regex validation for self-contained access tokens. Is it possible >> mediate token generation and append specific prefix to identify Oauth >> provider or else add mapping to a database table ? >> >> Thanks, >> Gayan >> >> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna < >> [email protected]> wrote: >> >>> Hi All, >>> >>> We are going to implement Multiple Oauth provider support to WSO2 API >>> Management. From this feature, dev portal users can create their Oauth >>> Application on Pre-Defined OAuth providers. >>> >>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing >>> OAuth provider details. >>> >>> - Client Registration endpoint >>> - Introspection Endpoint >>> - Scope Management Endpoint >>> - Token Endpoint >>> - Revoke Endpoint >>> - Endpoint Security Details >>> - Token Validation Regex. >>> >>> 2. Application developer creates the application defining the Oauth >>> Provider type. >>> 3. Application developer Generates the keys from UI. >>> >>> - Checks for the Consumer Key Generation can be done in the Specific >>> Oauth Provider. >>> - Generate the Oauth App on Oauth Provider and retrieves the Oauth >>> Application Details. >>> >>> 4. Application Developer Retrieves the Application details from the UI. >>> >>> - Check for the Oauth provider selected. >>> - Retrieve the Oauth App details from the Respective OAuth Provider >>> selected. >>> >>> 5. Generating Oauth Token >>> >>> - Token Generation call will directly proxy into the token endpoint >>> of Respective Oauth Provider. >>> >>> 6. Validating the Token. >>> >>> - Generated Token from Oauth Providers contains a specific change >>> related to the Token. >>> - Before validating the token we checking the Token was resided to >>> which Oauth provider by checking from the Token Validation Regex given. >>> - Token get validate from elected Oauth Provider and then retrieve >>> the information related to the Token. >>> >>> 7. Delete the Application >>> >>> - Oauth Application will remove from Respective Oauth Provider >>> assigned. >>> >>> >>> I appreciate any thoughts and feedback on this. >>> >>> >>> Thanks >>> >>> *Tharindu Dharmarathna*Technical Lead >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> mobile: *+94779109091* >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> Gayan >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > > *Tharindu Dharmarathna*Technical Lead > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: *+94779109091* > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Gayan
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
