Hi, On Sat, Jan 19, 2013 at 12:48 PM, Amila Suriarachchi <[email protected]> wrote:
> > > On Fri, Jan 18, 2013 at 12:44 AM, Lalaji Sureshika <[email protected]>wrote: > >> Hi Sanjeewa, >> >> On Thu, Jan 17, 2013 at 10:29 PM, Sanjeewa Malalgoda >> <[email protected]>wrote: >> >>> Hi All. >>> At the moment we are removing authorization headers from API request >>> when it passes to actual back end (at gateway authorization handler). But >>> for some use cases we need to just pass through gateway and allow >>> actual back end to do authorization. In that case we can define that >>> resource token type as none (no application or application user). Then >>> gateway will skip authorization process but still it removes authorization >>> headers if available. But ideally it shouldn't remove them as there is no >>> actual authorization happens. Shall we go ahead and avoid removing security >>> headers? WDYT? >>> >> >> With above your suggested way,it'll handle 1) invoking a secured OAuth >> back-end endpoint when no auth scheme required at API level.But it'll not >> handle 2)invoking a secured OAuth back-end endpoint when an auth scheme >> required at API level... >> > > Is this a practical case? First question is who has issued this OAuth > token. If API Manager has issued it then authorisation should happen at the > API Manager level. If back end service has issued it it should be at the > back end. Since this token is dependant of the issuer I feel practically we > won't come to this situation. > I meant from the above 2nd use case is say a user trying to create an API from WSO2 APIM for a back-end endpoint for eg: facebook/twitter endpoints [1] while keeping OAuth tokens required to authenticate in both APIM gateway level and backend server level... [1] http://stackoverflow.com/questions/12485734/adding-a-api-to-wso2-api-manager-that-has-oauth-credentials Thanks; > > > >> My question is if we are going to implement the above usecase,don't we >> need to consider 2nd my mentioned option as well and find a common solution >> for both flows.. >> >> And additionally,if we avoid removing security headers for an API request >> with no auth scheme required at gateway level,even the back-end endpoint >> secured or not,it'll pass the authorization header to backend..Is it ok to >> do so? >> > > I think so. In this case Client sends an OAuth token. So either at API > Manager or Back end some authorisation should happen. > > For me, if API manager does the authorisation, it can drop the header > since the token is intendant for API Manager. If not it has to forward > that since back end requires that. If we put an attribute to configure it > may either drop or forward and hence may not be able to properly handle the > situation where people use both secured and non secured APIs at API Manager. > > thanks, > Amila. > > >> >> Thanks; >> >> >>> >>> Thanks. >>> -- >>> *Sanjeewa Malalgoda* >>> WSO2 Inc. >>> Mobile : +14084122175 | +94713068779 >>> >>> <http://sanjeewamalalgoda.blogspot.com/>blog >>> :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >>> >> >> >> >> -- >> Lalaji Sureshika >> Software Engineer; Development Technologies Team;WSO2, Inc.; >> http://wso2.com/ >> email: [email protected]; cell: +94 71 608 6811 >> blog: http://lalajisureshika.blogspot.com >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Amila Suriarachchi* > > Software Architect > WSO2 Inc. ; http://wso2.com > lean . enterprise . middleware > > phone : +94 71 3082805 > -- Lalaji Sureshika Software Engineer; Development Technologies Team;WSO2, Inc.; http://wso2.com/ email: [email protected]; cell: +94 71 608 6811 blog: http://lalajisureshika.blogspot.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
