[
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306585#comment-17306585
]
Michael Brohl commented on OFBIZ-12033:
---------------------------------------
Hi [~gvasmatkar] ,
I have now checked again and I am still unsure about the authentication
mechanism.
I have taken any user login (demoemployee in this case) and can get an
authentication token to use the REST API with his credentials. I can then use
the findProductById service through REST and have access to the product data.
If I login to the webtools with this user, access is restricted to only the
party and humanres components. I have no access to the catalog manager and
products.
I think we should have *strict authentication* to access the REST API
(endpoints or sets) through explicit permissions. A user must *explicitly* be
allowed to access a specific API set to be able to authenticate and get an
access token *for the specific API set only*.
That also means that we cannot use the /auth/token APi without context. It
should only be used within the API context like
/webshop/v1/auth/token
/my-api/auth/token
etc.
The API then has to check if the user is allowed to use /webshop or /my-api
before it generates an access token. The access token should only be valid for
the API it is generated for.
That means, if I get a token with /webshop/v1/auth/token this cannot be used
for /my-api.
If we can agree on this, the next steps would be to be able to show different
Swagger UI's for every API set and have the /auth/token request repect the
context it is used in.
What do you think? Does it make sense to you?
I would also appreciate others to join the discussion and get opinions from
different perspectives.
> Separate login service for API calls
> ------------------------------------
>
> Key: OFBIZ-12033
> URL: https://issues.apache.org/jira/browse/OFBIZ-12033
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Reporter: Girish Vasmatkar
> Assignee: Girish Vasmatkar
> Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
> authenticate users before generating auth tokens for REST API and GraphQL
> calls. However, we figured that a session is also getting created and
> returned in response which is defeating the purpose of having an API in
> place. Even though that session is not getting used anywhere when subsequent
> calls are made using the token, we still think it is an extra session lying
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service
> (basicAuthUserLogin) that would just do username/password matching and be
> done with it without ever calling request.getSession(). This will ensure that
> APIs are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
