Hi Isuranga, We can add additional header to make this authenticator engaged. e.g. [1]
Better not tie up the authenticator to the hardcoded path "INTROSPECTION_URI" [1] https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/oauth_introspection.html Cheers, Ruwan On Tue, Mar 12, 2019 at 12:30 PM Isuranga Perera <isura...@wso2.com> wrote: > Hi all > > I'm working on the improvement of client authentication for OAuth2 > Introspection endpoint[1]. Currently, it supports authentication via basic > authentication and bearer token authentication. > > In this improvement, we're going to introduce authentication via client ID > and secret. > > But the problem with this approach is that both basic authentication and > the $subject has the same authorization header. Because of this reason > incoming requests have to go through both basic authentication handler and > $subject authentication handler which results in additional overhead. > > The current implementation is as follows[2]. Please provide your insight > on the $subject. > > [1] https://github.com/wso2/product-is/issues/4314 > [2] https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/67 > > Best Regards > Isuranga Perera > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Ruwan Abeykoon* *Associate Director/Architect**,* *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * *lean.enterprise.middleware.*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev