Fwd: Handling web apps though App Manager that calling to OAuth secured APIs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Handling web apps though App Manager that calling to OAuth secured APIs

Dinusha Senanayaka


Hi,

Diagram explains the scenario where we need to generate an access token using the SAML token generated at the appm gateway.

 Inline image 1
Option 1

- When publishing the web app in AppM, provide section to get details of token endpoint, consumer key, consumer secrete if that web app need accessing some oauth secured API.
- At the first time when use accessing the web-app though AppM gateway, use the same SAML response generated and call to the given token endpoint/s and get the access tokens. And pass them to wep-app as http header. So from web-app, they can read the token and pass when calling to APIs.

Issues with option 1
i. We are passing the token header to back-end every time. i.e Even it accessing a page that does not calling to the APIs.
ii. How to handle token expirations ?

We could suggest two solutions to the issue (ii).
i. At the time we are generating the access token/s, we can keep the details like expiry time, refresh token etc in appM gateway side. Then we could keep checking the expiry time of access tokens when web-app getting access though the gateway. If expired, issue a new token. (This solution would be more inefficient, since we have to check the expiry time for all gateway calls comes for that web-app).

ii. Other solution would be to provide some API in AppM side, so that if the token expires then web-app need to call that API with the SAML token and request for a new token. (Prabath/Johan does not like this solution, since AppM gateway going to be tightly couple with the web-app. :-) )

Prabath/Johan suggested following solution,

Option 2
- Say that actual web-app is hosted in Tomcat and that web-app need to call some OAuth protected APIs. Instead of directly calling to APIs, they should have configured a proxy in Tomcat server to forward these direct API calls to AppM gateway.
Some implementation issues that I'm having is, how we are going to distinguish between normal web-page access and this API call that comes to AppM gateway. Appreciate any thoughts on this.


Regards,
Dinusha.



--
Dinusha Dilrukshi
Senior Software Engineer
WSO2 Inc.: http://wso2.com/
Mobile: +94725255071
Blog: http://dinushasblog.blogspot.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Handling web apps though App Manager that calling to OAuth secured APIs

venura
Hi,


On Sun, Mar 9, 2014 at 11:13 AM, Dinusha Senanayaka <[hidden email]> wrote:


Hi,

Diagram explains the scenario where we need to generate an access token using the SAML token generated at the appm gateway.

 Inline image 1
Option 1

- When publishing the web app in AppM, provide section to get details of token endpoint, consumer key, consumer secrete if that web app need accessing some oauth secured API.
- At the first time when use accessing the web-app though AppM gateway, use the same SAML response generated and call to the given token endpoint/s and get the access tokens. And pass them to wep-app as http header. So from web-app, they can read the token and pass when calling to APIs.

Issues with option 1
i. We are passing the token header to back-end every time. i.e Even it accessing a page that does not calling to the APIs.
ii. How to handle token expirations ?

We could suggest two solutions to the issue (ii).
i. At the time we are generating the access token/s, we can keep the details like expiry time, refresh token etc in appM gateway side. Then we could keep checking the expiry time of access tokens when web-app getting access though the gateway. If expired, issue a new token. (This solution would be more inefficient, since we have to check the expiry time for all gateway calls comes for that web-app).

ii. Other solution would be to provide some API in AppM side, so that if the token expires then web-app need to call that API with the SAML token and request for a new token. (Prabath/Johan does not like this solution, since AppM gateway going to be tightly couple with the web-app. :-) )

Prabath/Johan suggested following solution,

Option 2
- Say that actual web-app is hosted in Tomcat and that web-app need to call some OAuth protected APIs. Instead of directly calling to APIs, they should have configured a proxy in Tomcat server to forward these direct API calls to AppM gateway.
Some implementation issues that I'm having is, how we are going to distinguish between normal web-page access and this API call that comes to AppM gateway. Appreciate any thoughts on this.

Are we planing to make the external API call from the AppM gateway? If so how are we going to send the details such as external API endpoint to the gateway? 
IMO we are adding additional overhead to the gateway with this functionality, and this is not any less coupled with the web application, since gateway is going to make an API call on behalf of a web application. 
 


Regards,
Dinusha.



--
Dinusha Dilrukshi
Senior Software Engineer
WSO2 Inc.: http://wso2.com/
Mobile: <a href="tel:%2B94725255071" value="+94725255071" target="_blank">+94725255071
Blog: http://dinushasblog.blogspot.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


Regards,
Venura

--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Handling web apps though App Manager that calling to OAuth secured APIs

Dinusha Senanayaka

Hi Venura,

On Sun, Mar 9, 2014 at 11:28 AM, Venura Kahawala <[hidden email]> wrote:
Hi,


On Sun, Mar 9, 2014 at 11:13 AM, Dinusha Senanayaka <[hidden email]> wrote:


Hi,

Diagram explains the scenario where we need to generate an access token using the SAML token generated at the appm gateway.

 Inline image 1
Option 1

- When publishing the web app in AppM, provide section to get details of token endpoint, consumer key, consumer secrete if that web app need accessing some oauth secured API.
- At the first time when use accessing the web-app though AppM gateway, use the same SAML response generated and call to the given token endpoint/s and get the access tokens. And pass them to wep-app as http header. So from web-app, they can read the token and pass when calling to APIs.

Issues with option 1
i. We are passing the token header to back-end every time. i.e Even it accessing a page that does not calling to the APIs.
ii. How to handle token expirations ?

We could suggest two solutions to the issue (ii).
i. At the time we are generating the access token/s, we can keep the details like expiry time, refresh token etc in appM gateway side. Then we could keep checking the expiry time of access tokens when web-app getting access though the gateway. If expired, issue a new token. (This solution would be more inefficient, since we have to check the expiry time for all gateway calls comes for that web-app).

ii. Other solution would be to provide some API in AppM side, so that if the token expires then web-app need to call that API with the SAML token and request for a new token. (Prabath/Johan does not like this solution, since AppM gateway going to be tightly couple with the web-app. :-) )

Prabath/Johan suggested following solution,

Option 2
- Say that actual web-app is hosted in Tomcat and that web-app need to call some OAuth protected APIs. Instead of directly calling to APIs, they should have configured a proxy in Tomcat server to forward these direct API calls to AppM gateway.
Some implementation issues that I'm having is, how we are going to distinguish between normal web-page access and this API call that comes to AppM gateway. Appreciate any thoughts on this.

Are we planing to make the external API call from the AppM gateway? If so how are we going to send the details such as external API endpoint to the gateway? 
 
AFAIU, one possibility will be something like follows. Web-app itself will have these details, token endpoint, consumerKey, consumer secret etc. Also web-app itself will call to the token generation and API access.  It need to be called to the token endpoint using the SAML grant type to get a token. At the time it calling to token endpoint, required SAML token will be null. But since we have configured a proxy to redirect this call to AppM gateway, we could add the SAML token into request and get the access token for web-app. Then pass the token to web-app.

Next time, when web-app calls to the secured API using this oauth token, that call also will redirect to the AppM gateway though the proxy. So, AppM gateway will be the one actually calling to secured API. If the token has expired, it could get a new access token and pass it to the web-app. @Prabath/Johann, correct me if i'm wrong here.

Advantage with this method is, AppM gateway does not need to keep token endpoint details or token expiry time etc. (But still I have the issue of identifying these API calls and normal web page access calls comes to gateway).
 
IMO we are adding additional overhead to the gateway with this functionality, and this is not any less coupled with the web application, since gateway is going to make an API call on behalf of a web application. 

Regards,
Dinusha.
 


Regards,
Dinusha.



--
Dinusha Dilrukshi
Senior Software Engineer
WSO2 Inc.: http://wso2.com/
Mobile: <a href="tel:%2B94725255071" value="+94725255071" target="_blank">+94725255071
Blog: http://dinushasblog.blogspot.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Dinusha Dilrukshi
Senior Software Engineer
WSO2 Inc.: http://wso2.com/
Mobile: +94725255071
Blog: http://dinushasblog.blogspot.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture