Hi Ayesha, Please see my mail "Authentication and Authorization for Rest APIs in Carbon Products" on [email protected].
On Fri, Oct 21, 2016 at 12:37 PM, Ayesha Dissanayaka <[email protected]> wrote: > > On Thu, Oct 20, 2016 at 9:36 PM, Isura Karunaratne <[email protected]> wrote: > >> We need to secure recovery APIs and self-registration APIs ( >> *api/identity/recovery* and *api/identity/user*). >> > > I've been looking at securing self-registration APIs (*api/identity/user) > *with Generic Authentication Mechanism to all the REST APIs in [1] for > the purpose of testing IDENTITY-4742 feature. > > Wires in IDENTITY-4742 works as expected. However few concerns were raised > as I was testing self-registration REST API. > > 1. What is the correct Authentication mechanism for securing this API > ? MutualAuth?? > > Any of the authentication mechanisms we have now must work because technically we don't have a dependency on the exact authenticator implementation. However mutual authenticator without username (as I have explained in the mail) will be suitable for this. > > 1. When basicAuth headers are sent to self-registration API, > authenticated users can create new users in cross domains(in another > tenant). Shouldn't this be handled in API level? > > I have explained this with broader context in the other mail. We need to treat this as high priority and fix this for 5.3.0 because its a security concern. > > 1. > > [1] https://wso2.org/jira/browse/IDENTITY-4742 > > Regards, > -Ayesha > > -- > *Ayesha Dissanayaka* > Software Engineer, > WSO2, Inc : http://wso2.com > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> > 20, Palmgrove Avenue, Colombo 3 > E-Mail: [email protected] <[email protected]> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
