On Fri, Jan 18, 2013 at 12:44 AM, Lalaji Sureshika <[email protected]> wrote:
> Hi Sanjeewa, > > On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda <[email protected]>wrote: > >> Hi All. >> At the moment we are removing authorization headers from API request when >> it passes to actual back end (at gateway authorization handler). But for >> some use cases we need to just pass through gateway and allow actual back >> end to do authorization. In that case we can define that resource token >> type as none (no application or application user). Then gateway will skip >> authorization process but still it removes authorization headers if >> available. But ideally it shouldn't remove them as there is no >> actual authorization happens. Shall we go ahead and avoid removing security >> headers? WDYT? >> > > With above your suggested way,it'll handle 1) invoking a secured OAuth > back-end endpoint when no auth scheme required at API level.But it'll not > handle 2)invoking a secured OAuth back-end endpoint when an auth scheme > required at API level...My question is if we are going to implement the > above usecase,don't we need to consider 2nd my mentioned option as well and > find a common solution for both flows.. > I suggested only scenario1 because we don't need to validate same oauth token twice(of course there are such use cases as well). In that case we can make it configurable. > > And additionally,if we avoid removing security headers for an API request > with no auth scheme required at gateway level,even the back-end endpoint > secured or not,it'll pass the authorization header to backend..Is it ok to > do so? > I think its fine. IMO whatever client passes(and not related to gateway) should go to back end. > > Thanks; > > >> >> Thanks. >> -- >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +14084122175 | +94713068779 >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >> > > > > -- > Lalaji Sureshika > Software Engineer; Development Technologies Team;WSO2, Inc.; > http://wso2.com/ > email: [email protected]; cell: +94 71 608 6811 > blog: http://lalajisureshika.blogspot.com > > > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +14084122175 | +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
