Hello,
I have a data model where there is an entity X which is bound to n entities
Y in my application. This entity X can be identified by a OAuth token
generated by the API manager and its account exists on the identity server:
[image: Images intégrées 1]
The path to access to this entity Y would be something like
/entityY/{entityYId}. This means that a X' identified entity could access
to the entities bound to X.
To ensure that an entity X access to only its own entities Y, we would like
to implement a layer of authorization on the API Manager where the OAuth
token could be use to identify the entity X
I think of two solutions :
- The first one consists of creating an API (via the Publisher) gathering
every permutation of /entityY/{entityYId} for each entity X. And then, by
creating an application (via the Store) for each entity X to ensure that
they have different OAuth token secrets:
[image: Images intégrées 2]
That way, we ensure that each of the "identitied" client has its own OAuth
key. The main problem is the heavy configuration because each time we have
to add a Y or X entity, we have to configure the API Manager.
- The second one is to find a way to retrieve the information concerning
the entity X thanks to its OAuth token via the information stored in the
user store of the Identity Server. Or even just deduce the X entity to do a
custom DB lookup. The main problem is I don't know how to do because I know
we can use Mediation Extensions in the API Manager but I don't know how to
retrieve information from the IS from the implemented sequence.
- The third one could be to use XACML but, if I understood correctly, that
will impose to the client to send some weird XML/JSON body content (like
the SAML2 authentication request) each time it will have to access to a
resource.
Can you point me in the right direction, please?
Regards,
Thomas
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
