Hi Ragu, I believe that we should be having standard answers to "how to secure a REST API using OAuth 2.0" as well as "how to invoke a REST API secured with OAuth 2.0", at least in the AM world. Can you get some insight into how such is done.
Thanks, Senaka. On Sun, Jan 13, 2013 at 11:36 PM, Sriragu Arudsothy <[email protected]>wrote: > Hai Senaka..! > > OAuth 2.0 provides 4 types of Authentication grant > type. All four types of grant types are requiring the client id/client > secret atleast. The OAuthTokenValidationService requires either client > id/client secret or username/pwd with client secret depends on the OAuth > grant type. If we are able to pass the Access token with REST calls then we > are done. > > 1) I asked the IS Guys whether Is it possible to generate the access token > with the user name/pwd over the chat ? They do not have the answer for > that. They said there may be a way to create a access token through the > OAuthAdminService. Bz In Greg, we have users with user credentials. We > dont have any concepts call client ID/Client secret. > > 2) When we request from the REST client we need to pass the user > credentials with resource URI. The User then authenticated and access is > carried out or denied. Therefore the OAuth access tokens are valid for a > short period. Therefore it is better to authenticate for each and every > request. This is the way I am thinking to proceed. Bz still unclear about > the authentication using username/pwd with OAuth 2.0. > > WDYT? > > http://blog.facilelogin.com/2012/08/wso2-oauth-20-playground-with-wso2.html > http://blog.facilelogin.com/2012/06/oauth-20-integration-patterns-with.html > > the above links explains. > > Regards, > Ragu > > > > > On Sun, Jan 13, 2013 at 9:35 PM, Senaka Fernando <[email protected]> wrote: > >> Hi Ragu, >> >> While I'm unable to provide the best answer for #2 right away without >> doing some research into how OAuth 2.0 is implemented in our platform, for >> #1, you definitely can and must use the component and not IS for the REST >> API implementation in G-Reg. Also, please validate that the features that >> you will be using in the process include a minimum number of jars to >> provide the required OAuth 2.0 functionality. >> >> Thanks, >> Senaka. >> >> On Sun, Jan 13, 2013 at 8:44 AM, Sriragu Arudsothy <[email protected]>wrote: >> >>> Hai , >>> >>> When invoke the REST calls to access the resources or resource >>> related properties, the request has to be authenticated against the user >>> credentials using OAuth 2.0. It is a jax web app running on G-Reg. >>> Currently it works without the OAuth mechanism. I went through some extent >>> on how OAuth is working on IS. >>> >>> 1) Is that the OAuth is adaptable component to G-Reg? or Do I need to >>> run the IS? >>> >>> 2) If OAuth is a separate component then how can I integrate to my >>> problem? >>> >>> Your thoughts are welcome on way how do I need to approach? >>> >>> Thanks! >>> Sriragu >>> >>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> * <http://wso2con.com/> >> * >> * >> >> Senaka Fernando* >> Member - Integration Technologies Management Committee; >> Technical Lead; WSO2 Inc.; http://wso2.com* >> Member; Apache Software Foundation; http://apache.org >> >> E-mail: senaka AT wso2.com >> **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 >> Linked-In: http://linkedin.com/in/senakafernando >> >> *Lean . Enterprise . Middleware >> > > -- * <http://wso2con.com/> * * Senaka Fernando* Member - Integration Technologies Management Committee; Technical Lead; WSO2 Inc.; http://wso2.com* Member; Apache Software Foundation; http://apache.org E-mail: senaka AT wso2.com **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 Linked-In: http://linkedin.com/in/senakafernando *Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
