Hi, If we introduce this API in a way like we have [1] where we can get all the available roles of the given user, does it create security risk ( Any way we this is an Admin API right?). If we can get all the available roles, we can validate it at the client side in this case. At the sametime, this api may be very useful in customizations where the user does not need to specifically pass the role name to validate. WDYT?
[1] https://is.docs.wso2.com/en/5.9.0/develop/managing-users-and-roles-with-apis/#getrolelistofuser Thanks Shammi On Tue, May 5, 2020 at 1:18 AM Frank Leymann <[email protected]> wrote: > Dear Meruja, > > the URI of the second API (i.e. /me/roles/{roleName}) is really > debatable: the intent of the */me* part of the URI seems to be to > identify the logged-in user, and to me, such a user is a resource. I.e I > assume that a user is represented in APIM as a resource (but I didn't check > the current API), or has a unique UserID - correct? > > Thus, the URI of the API should be something like > .../users/{UserID}?{roleName} or /roles/{roleName}?{UserID}. > > Best regards, > Frank > > > > > Am Di., 5. Mai 2020 um 06:17 Uhr schrieb Meruja Selvamanikkam < > [email protected]>: > >> Hi All, >> >> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs >> and the intention is to check the existence of a particular role name ( >> Internal/subscriber) when transferring ownership of an application to a >> user. We have similar API in the publisher to check the availability of >> the role[1]. >> We have to decide the OAuth2 scope which functionalities are used by Admin >> . >> >> The swagger definition for the new endpoint would be as follows: >> >> ###################################################### >> # The Role Name Existence >> ###################################################### >> /roles/{roleName}: >> #----------------------------------------------------- >> # The role name existence check resource >> #----------------------------------------------------- >> head: >> security: >> - OAuth2Security: >> - apim:<To_be_added> >> summary: >> Check given role name already exists >> description: >> Using this operation, to check whether given role already exists >> parameters: >> - $ref : '#/parameters/roleName' >> responses: >> 200: >> description: >> OK. >> Requested role name is returned. >> 404: >> description: >> Not Found. >> Requested role name does not exist. >> >> ###################################################### >> # The Role Name Existence for the logged-in user >> ###################################################### >> /me/roles/{roleName}: >> #----------------------------------------------------- >> # Validate role against a user >> #----------------------------------------------------- >> head: >> security: >> - OAuth2Security: >> - apim:<To_be_added> >> summary: >> Validate whether the logged-in user has the given role >> description: >> Using this operation, logged-in user can check whether he has given >> role. >> parameters: >> - $ref : '#/parameters/roleName' >> responses: >> 200: >> description: >> OK. >> Logged-in user has the role. >> 404: >> description: >> Not Found. >> Logged-in user does not have the role. >> >> Appreciate any feedback on this and correct me if I am wrong. >> >> [1] - [APIM-3.0] Publisher rest API to check a role name existence >> >> Thanks & Regards, >> *S.Meruja* |Software Engineer | WSO2 Inc. >> (m) +94779650506 | Email: [email protected] >> Linkedin: https://www.linkedin.com/in/meruja >> <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> >> Medium: https://medium.com/@meruja >> <http://wso2.com/signature> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Best Regards, * Shammi Jayasinghe* *Associate Director/ Architect* *WSO2, Inc.* *+1-812-391-7730* *+1-812-327-3505* *http://shammijayasinghe.blogspot.com <http://shammijayasinghe.blogspot.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
