On Fri, Jan 18, 2013 at 12:44 AM, Lalaji Sureshika <[email protected]> wrote:
> Hi Sanjeewa, > > On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda <[email protected]>wrote: > >> Hi All. >> At the moment we are removing authorization headers from API request when >> it passes to actual back end (at gateway authorization handler). But for >> some use cases we need to just pass through gateway and allow actual back >> end to do authorization. In that case we can define that resource token >> type as none (no application or application user). Then gateway will skip >> authorization process but still it removes authorization headers if >> available. But ideally it shouldn't remove them as there is no >> actual authorization happens. Shall we go ahead and avoid removing security >> headers? WDYT? >> > > With above your suggested way,it'll handle 1) invoking a secured OAuth > back-end endpoint when no auth scheme required at API level.But it'll not > handle 2)invoking a secured OAuth back-end endpoint when an auth scheme > required at API level... > Is this a practical case? First question is who has issued this OAuth token. If API Manager has issued it then authorisation should happen at the API Manager level. If back end service has issued it it should be at the back end. Since this token is dependant of the issuer I feel practically we won't come to this situation. > My question is if we are going to implement the above usecase,don't we > need to consider 2nd my mentioned option as well and find a common solution > for both flows.. > > And additionally,if we avoid removing security headers for an API request > with no auth scheme required at gateway level,even the back-end endpoint > secured or not,it'll pass the authorization header to backend..Is it ok to > do so? > I think so. In this case Client sends an OAuth token. So either at API Manager or Back end some authorisation should happen. For me, if API manager does the authorisation, it can drop the header since the token is intendant for API Manager. If not it has to forward that since back end requires that. If we put an attribute to configure it may either drop or forward and hence may not be able to properly handle the situation where people use both secured and non secured APIs at API Manager. thanks, Amila. > > Thanks; > > >> >> Thanks. >> -- >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +14084122175 | +94713068779 >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >> > > > > -- > Lalaji Sureshika > Software Engineer; Development Technologies Team;WSO2, Inc.; > http://wso2.com/ > email: [email protected]; cell: +94 71 608 6811 > blog: http://lalajisureshika.blogspot.com > > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Amila Suriarachchi* Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
