Hi,
Using OAuth will be beneficial & future-proof as well. You can use it
easily when the APIs are exposed to the public. +1 for using OAuth for API
Security.
Thanks,
Best Regards,
Lakshitha Harshan
Software Engineer
Mobile: *+94724423048*
Email: hars...@wso2.com
Blog : http://harshanliyanage.b
Hi,
+1 for OAuth2. Because publisher APIs can be use in mobile devices.
Ex -: customer implements mobile app to publish assets
Also need to think about how customer can extend (customize) the security
with our extension model.
Ex-: Customer writes a extended publisher API and need to give differen
Thank you everyone for your valuable inputs.
@Udara,
These API endpoints are used by ES publisher App itself and will be invoked
by authorized third party as well. In that way we have enabled accessing ES
back office via remote clients as well.
According to suggestions in this thread having aouth
Hi,
Having basic oauth with HTTPS is kind of secured as long as no third party
is invoking the APIs.
Touched, not typed. Erroneous words are a feature, not a typo.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailm
> Another question I have on the BackOffice API is - whether this is the
> same API used by the Publisher App itself?
yeap
On Fri, Oct 17, 2014 at 4:09 PM, Chan wrote:
> I believe this is a perfect example for API Everywhere concept. In EMM -
> some APIs are exposed to the devices with this con
I believe this is a perfect example for API Everywhere concept. In EMM -
some APIs are exposed to the devices with this concept. Basically a tomcat
valve validates the security tokens - the security protocol used here is
OAuth.
Another question I have on the BackOffice API is - whether this is the
IMO storing username and password is not the recommended way. So +1 for
oauth security. May be we can have both oauth and basic auth if needed. But
if these endpoints are for third party developers who will write some
client code using it I think oauth is the best way.
Thanks & Regards
Danushka Fe
Hi,
The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
endpoint is one example.
If BasicAuth used, client side might have to store the username/password.
If OAuth used, and the API is accessed via a browser, user can be
redirected to the authorization Server to get authenticate
Hi Ruchira,
Yes, I need recommendation on how to secure all the REST API endpoints.
Currently publisher app use both HTTP and HTTPS. Since, publisher should be
secured I think we need to disable serving pages/apis in HTTP. In that way
these REST endpoints also will be only HTTPS enabled as they ar
Hi Ayesha,
IMO,if you have an intention to expose your API to third party developers
best way to secure is using oAuth2 where third party developer can generate
his consumer id/secret and generate an API token and use that token to
access APIs. Wso2APIM is using that protocol.If you wish can use
On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka
wrote:
> Hi all,
>
> I have implemented ES Publisher REST API in order to access and perform
> CRUD operations on ES -BackOffice.
>
> Each endpoint is authenticated by a valid Session-ID, passed to the
> endpoint in request header.
>
> In-order
Hi all,
I have implemented ES Publisher REST API in order to access and perform
CRUD operations on ES -BackOffice.
Each endpoint is authenticated by a valid Session-ID, passed to the
endpoint in request header.
In-order to obtain a session-ID we have implemented a separate authenticate
REST endp
12 matches
Mail list logo