CloudFoundry currently uses Oauth2 in their uaa service. I'm +1. --Tuna
On Thu, Nov 20, 2014 at 2:48 PM, Lakmal Warusawithana <[email protected]> wrote: > I'm +1 for oAuth with non expiry token. > > On Thu, Nov 20, 2014 at 12:39 PM, Udara Liyanage <[email protected]> wrote: > >> Hi Lakmal, Imesh >> >> Came up with another solution. >> >> *Prerequisites* : SM's public key should be installed into metadata >> service >> >> SM generate a key pair for each instance at the time of composite >> application deployment and that will be sing by SM >> Common name of the public key is set to applicationID >> generated key pair is sent to the instance as payload >> Cartridge agent generates a token(most probably a JWT token) and will >> sign it using the given keys >> When calling API, agent sends that token with the request >> Metadata service can validate the public key of the instance since it is >> signed by SM which metadata service already trusts. >> Metadata service can do authorization using token. >> >> On Wed, Nov 19, 2014 at 5:42 PM, Udara Liyanage <[email protected]> wrote: >> >>> Hi, >>> >>> Below is the flow which is discussed so far. >>> >>> 1) User/tenant deploys and aplication id=appId >>> 2) SM calls IS and creates an oAuth APP which will return consumer key >>> and consumer secret >>> 3) SM again calls the IS with consumer keys, secrets and appid as the >>> scope >>> 4) IS generates a JWT token which consists of the appid >>> 5) SM sends the token to the instance in payload >>> 6) When cartridge agent calls metadata service API, it should send the >>> token >>> 7) Then metadata service and validate the token. >>> 8) SM can do the authorization too by matching the appid in token and >>> requested application id in API call >>> >>> The blocking issue: >>> When token is expired, cartridge agent can not renew the token since >>> it does not have username/password or refresh token. >>> >>> However for the moment since we retrieve the metadata only at startup >>> (which may changes in future) we can live with it for now. But it is not an >>> extensible solution. >>> As an alternative we can increase the expiration time of the token, >>> not sure this is a recommended way of doing things. >>> >>> Your thoughts are highly appreciated. >>> >>> >>> >>> On Wed, Nov 19, 2014 at 3:14 PM, Udara Liyanage <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I installed OAuth feature of WSO2 IS and was able to generate a token >>>> and validate a token by invoking the admin services using SOAP UI. I will >>>> now try to do the same with code at the time of application deployment. >>>> >>>> Found several issues >>>> We already use SSO feature, so newest oauth feature did not work due >>>> to CNF issues. >>>> identity is not compatible with oauth feature >>>> >>>> >>>> On Tue, Nov 18, 2014 at 12:59 PM, Udara Liyanage <[email protected]> >>>> wrote: >>>> >>>>> Hi Sumedha, >>>>> >>>>> >>>>> Currently "no". We need to support both Single JVM and destributed >>>>> setups. For single JVM, we may need to install either API manager >>>>> key-manager feature or IS oAuth feature. >>>>> >>>>> On Tue, Nov 18, 2014 at 12:31 PM, Sumedha Rubasinghe < >>>>> [email protected]> wrote: >>>>> >>>>>> Udara, >>>>>> Do you have WSO2 API Manager/IS running? >>>>>> >>>>>> On Tue, Nov 18, 2014 at 11:00 AM, Udara Liyanage <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Currently we use username/password base authentication when >>>>>>> retrieving and publishing metadata via metadata service API. The issue >>>>>>> with >>>>>>> this approach is one client can access/alter other app's data if it know >>>>>>> the application id. >>>>>>> I suggest to use oAuth to secure resources and let the client access >>>>>>> only the metadata related to its application. >>>>>>> I am doing R&D on possible ways of accomplishing this task and will >>>>>>> update the thread on my finding. Currently I am assesing the >>>>>>> feasibility of >>>>>>> WSO2 IS Oauth feature and WSO2APIM key manager feature. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Udara Liyanage >>>>>>> Software Engineer >>>>>>> WSO2, Inc.: http://wso2.com >>>>>>> lean. enterprise. middleware >>>>>>> >>>>>>> web: http://udaraliyanage.wordpress.com >>>>>>> phone: +94 71 443 6897 >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Udara Liyanage >>>>> Software Engineer >>>>> WSO2, Inc.: http://wso2.com >>>>> lean. enterprise. middleware >>>>> >>>>> web: http://udaraliyanage.wordpress.com >>>>> phone: +94 71 443 6897 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Udara Liyanage >>>> Software Engineer >>>> WSO2, Inc.: http://wso2.com >>>> lean. enterprise. middleware >>>> >>>> web: http://udaraliyanage.wordpress.com >>>> phone: +94 71 443 6897 >>>> >>> >>> >>> >>> -- >>> >>> Udara Liyanage >>> Software Engineer >>> WSO2, Inc.: http://wso2.com >>> lean. enterprise. middleware >>> >>> web: http://udaraliyanage.wordpress.com >>> phone: +94 71 443 6897 >>> >> >> >> >> -- >> >> Udara Liyanage >> Software Engineer >> WSO2, Inc.: http://wso2.com >> lean. enterprise. middleware >> >> web: http://udaraliyanage.wordpress.com >> phone: +94 71 443 6897 >> > > > > -- > Lakmal Warusawithana > Vice President, Apache Stratos > Director - Cloud Architecture; WSO2 Inc. > Mobile : +94714289692 > Blog : http://lakmalsview.blogspot.com/ > >
