Hi Amila, Please find my comments below.
On Wed, Apr 15, 2020 at 4:03 PM Amila De Silva <[email protected]> wrote: > Hi Tharindu, > > On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna <[email protected]> > wrote: > >> Hi All, >> >> We are going to implement Multiple Oauth provider support to WSO2 API >> Management. From this feature, dev portal users can create their Oauth >> Application on Pre-Defined OAuth providers. >> >> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing >> OAuth provider details. >> >> - Client Registration endpoint >> - Introspection Endpoint >> - Scope Management Endpoint >> - Token Endpoint >> - Revoke Endpoint >> - Endpoint Security Details >> - Token Validation Regex. >> >> Isn't Scope Management a custom endpoint? Is it that we are only > specifying it when connecting with IS? > > Some of the Oauth Provider have their own Scope Management Endpoint that can use. > 2. Application developer creates the application defining the Oauth >> Provider type. >> 3. Application developer Generates the keys from UI. >> >> - Checks for the Consumer Key Generation can be done in the Specific >> Oauth Provider. >> - Generate the Oauth App on Oauth Provider and retrieves the Oauth >> Application Details. >> >> 4. Application Developer Retrieves the Application details from the UI. >> >> - Check for the Oauth provider selected. >> - Retrieve the Oauth App details from the Respective OAuth Provider >> selected. >> >> 5. Generating Oauth Token >> >> - Token Generation call will directly proxy into the token endpoint >> of Respective Oauth Provider. >> >> Wondering if App Developers will use this at all. Isn't the more likely > case to get the token directly from an OAuth provider? In case we support > this, how about making this configurable (so Tenant Admin can decide > whether or not to proxy the request). Currently the Token endpoint is a > passthrough, but with this some changes will be needed to find the OAuth > provider from CK. Most probably this would include making a service call > from the GW. If it's likely to make unnecessary burden on the KM nodes, > better to provide an option to disable it. > We will not go to proxy the Request Through Gateway. This will show what will be the endpoint shows in the UI to use. > > >> 6. Validating the Token. >> >> - Generated Token from Oauth Providers contains a specific change >> related to the Token. >> >> So two OAuth providers can co-exist (within a single tenant space) if > their issued tokens can be separated by some property - Is this the case? > This can be the Token length, Token prefix, etc from the Token Management. > >> - Before validating the token we checking the Token was resided to >> which Oauth provider by checking from the Token Validation Regex given. >> - Token get validate from elected Oauth Provider and then retrieve >> the information related to the Token. >> >> 7. Delete the Application >> >> - Oauth Application will remove from Respective Oauth Provider >> assigned. >> >> >> I appreciate any thoughts and feedback on this. >> > > Are we only supporting this for subscriptions within the same tenant? > >> >> We will not be able to handle this feature in cross tenant since we couldn't identify the tenant of the token before going to validate it. > >> Thanks >> >> *Tharindu Dharmarathna*Technical Lead >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> mobile: *+94779109091* >> > > > -- > *Amila De Silva* > Software Architect | Associate Director, Engineering - WSO2 Inc. > (m) +94 775119302 | (e) [email protected] > <http://wso2.com/signature> > Thanks *Tharindu Dharmarathna*Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94779109091*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
