Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers
Also please note that - Identity Server also has the concept of authenticators. Once you come up with a plan can we please do an API review.. Ideally we should be able to consume the authentication handler both in ESB and in IS... Thanks regards, -Prabath On Thu, Sep 25, 2014 at 11:35 AM, Ravindra Ranwala ravin...@wso2.com wrote: Hi All, Thanks a lot for the valuable feedback given. We'll consider all these things when we implement this solution in our iPAAS. Regards, On Thu, Sep 25, 2014 at 11:08 AM, Prabath Siriwardena prab...@wso2.com wrote: According to the OAuth 2.0 Bearer Token Profile, when accessing a resource protected with OAuth 2.0, the bearer token can go in the HTTP Authorization header or be a form-encoded body parameter or a query parameter. If it’s a query parameter, its value must be access_token. But here, LinkedIn deviates from the OAuth 2.0 Bearer Token Profile. Following is a request to the LinkedIn UserInfo endpoint... curl https://api.linkedin.com/v1/people/~?oauth2_access_token=AQVKwPCyJoTDl9CZl5ID9S9hig9qd0P Thanks regards, -Prabath On Thu, Sep 25, 2014 at 11:02 AM, Prabath Siriwardena prab...@wso2.com wrote: I think its true to some extent that some OAuth authorization servers (AS) use their own configuration parameters and also some what deviate from the OAuth specification. What you can do is - keep a basic OAuth 1.0 and 2.0 modules and if you see a given AS has changed the behavior - extend from the correct OAuth module and add the specific behavior there. Thanks regards, -Prabath On Thu, Sep 25, 2014 at 10:23 AM, Johann Nallathamby joh...@wso2.com wrote: On Thu, Sep 25, 2014 at 9:24 AM, Ravindra Ranwala ravin...@wso2.com wrote: The constraints we encountered are listed below. Different OAuth Providers use different OAuth versions. Yes. There are two versions 1.0a and 2.0. You don't have any way around this because some providers still use 1.0a. Different OAuth Providers expose different APIs and different configuration details. This cannot be true. If they are spec compliant they should expose a standard set of endpoints. E.g. for oauth10a there are 3 standard endpoints, for oauth2 there are two standard endpoints. And since OAuth is a transport level security protocol it should be very easy to extract all the authorization logic out from the connector. E.g. the Bearer access token goes as part of the Authorization header, which means you should be able to set it to the transport header and ESB should handle it in sending it out with the request if I am not mistaken. The connector should not worry about setting these headers even. It's the same for oauth1.0a, except that the message in the header is more complex. Can you be more specific when you say different APIs and different configurations? What you need to see is if they comply with standard OAuth or not. This makes it bit difficult to generalize the Authorization process across different OAuth Providers. Thanks Regards, On Thu, Sep 25, 2014 at 8:58 AM, Johann Nallathamby joh...@wso2.com wrote: +1 to externalize the authorization logic. It will also help evolve the connectors when OAuth goes out of fashion and another authorization standard rules over it. What kind of difficulties did you come across? As long as it is following OAuth 1.0a or 2.0 standard you should be able to be able to generalize your code. Thanks, Johann. On Thu, Sep 25, 2014 at 8:40 AM, Ravindra Ranwala ravin...@wso2.com wrote: In the iPAAS integration project for ESB, we are implementing OAuth authorization support for different providers such as twitter, google, salesforce, facebook,LinkedIn etc to access their resources from our iPAAS app. Each provider has their own configuration details and APIs for this purpose. So we found that it is very difficult to generalize our solution. If you have any idea of generalizing the OAuth authorization process across different OAuth service Providers please don't hesitate to share your ideas with us. Thanks Regards, -- Ravindra Ranwala Software Engineer WSO2, Inc: http://wso2.com http://www.google.com/url?q=http%3A%2F%2Fwso2.comsa=Dsntz=1usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg Mobile: +94714198770 -- You received this message because you are subscribed to the Google Groups WSO2 Engineering Group group. To unsubscribe from this group and stop receiving emails from it, send an email to engineering-group+unsubscr...@wso2.com. For more options, visit https://groups.google.com/a/wso2.com/d/optout. -- Thanks Regards, *Johann Dilantha Nallathamby* Associate Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* -- Ravindra Ranwala Software Engineer WSO2, Inc: http://wso2.com
[Architecture] AppFactory .NET Apptype Support
Hi All, Currently I have been working on .NET app type support in AppFactory, Phase 1 : Create .NET archetype inside AF and enabling AF to create a .NET app. Phase 2 : Enable AF to build a .NET apptype. Phase 3 : Deploy .NET apptype with AF Phase 1 completed, - .NET app type created inside AppFactory as a maven archetype, So with this phase AppFactory has the capability of creating a .NET web app. Phase 2 completed, - AppFactory already uses jenkins as its build server, but the current jenkins it self is not capable of building .NET app types inside AF as it does not have .NET framework and the other needed infrastructure, So AF needed a separate jenkins installed inside windows with MSBuild and .NET Framework. So the jenkins inside AppFactory can use this new jenkins server as a windows slave and can use it for building .NET apps inside AF. Phase 3 : in Progress, - Currently I'm working on enabling the deployment of .NET apptype inside AppFactory. Thanks, Kasun *Kasun de Silva* Software Engineer | *WSO2 Inc.*; http://wso2.com lean.enterprise.middleware email : kas...@wso2.com mobile : +94 77 794 4260 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] BAM Log monitoring for Cloud
Am Donnerstag, 25. September 2014 schrieb Manjula Rathnayake : Hi Gimantha, If we can correlate log event based on timestamp range from all services(AS,BPS,AF,etc) that is really useful when identifying issues. I would recommend that you take a look on the Google Dapper paper http://research.google.com/pubs/pub36356.html regarding distributed tracing. I think this would perfectly solve all correlation issues. For implementation you should have a look on Twitters Zipkin http://twitter.github.io/zipkin/ or Brave https://github.com/kristofa/brave . regards, Thomas ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] RFC:Building Performance Probes into WSO2 Platfrom
We have some pretty nice probes already in ESB, that let you look into what is going in the same running in production. I think we need to do this generally and build it to other products. That should reduce time we spent debugging issues significantly. My proposal is to build a probe Lib that looks like following. There are two kinds of things you need to collect. 1. Throughput at give point of code (how fast calls goes though) 2. Latency between two points. We will have two types of Probes. Code would look like following. Probe probe = new Probe(Name, throughput, timeDuration); .. probe.recordThroughput(); Probe probe = new Probe(Name, latency, timeDuration, logLevel); ... long id = probe.startTicking() // this so same probe can be used by many threads ... probe.endTicking(id); Probe will summarise data over given duration and expose. We need 1. JMX bean 2. BAM Agent 3. Can turn on, off via JMX agent or via System property 4. Have Tool Box 5. Have in product UI 6. Can configured to write data to logs Each probe should be very small and should be able to create thousands without much effect. (e.g. create one for each mediator type) WDYT? --Srinath -- Blog: http://srinathsview.blogspot.com twitter:@srinath_perera Site: http://people.apache.org/~hemapani/ Photos: http://www.flickr.com/photos/hemapani/ Phone: 0772360902 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Performance improvement in Identity Server OpenIDAssociationCache
Hi Tharindu Yes, synchronization is needed only if the associationCache is null - otherwise it's a bottleneck. Double checked locking is the correct way. BTW these kind of queries should go to the @dev list :) Thanks Dulanja On Tue, Sep 2, 2014 at 1:01 PM, Tharindu Edirisinghe tharin...@wso2.com wrote: In OpenIDAssociationCache, the method to get the singleton instance is synchronized. Isn't it better to improve this with applying double checked locking ?? turing/components/identity/org.wso2.carbon.identity.provider/4.2.2/src/main/java/org/wso2/carbon/identity/provider/openid/cache/OpenIDAssociationCache.java Following is the code segment currently it is having. /** * Returns the singleton of the codeAssociationCache/code * * @return */ public synchronized static OpenIDAssociationCache getCacheInstance() { if (associationCache == null) { associationCache = new OpenIDAssociationCache(); } return associationCache; } -- Thanks Best Regards, Tharindu Edirisinghe Software Engineer *WSO2 Inc* *email : tharin...@wso2.com tharin...@wso2.com * *mobile : +94 775 181586* *www: :http://wso2.com http://wso2.com/ *lean . enterprise . middleware ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture -- Dulanja Liyanage WSO2 Inc. M: +94776764717 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture