[英]Exposing OAuth secured REST service as non secured using WSO2 ESB
I have an OAuth secured REST service "Oservice". 我有一个OAuth安全的REST服务“ Oservice”。 The client (who wants to access OService) is not able to request a token at the service's token generator. 客户端(想要访问OService)无法在服务的令牌生成器处请求令牌。 I would like the WSO2 ESB to handle this for the client: 我希望WSO2 ESB为客户端处理此问题:
1) The ESB should have an API, which receives the request from the client, adds the name + password and sends this request to the token generator. 1)ESB应该具有一个API,该API接收来自客户端的请求,添加名称和密码,然后将此请求发送到令牌生成器。
2) The ESB should receive the token and add the token to the message from the client and forwards it to the Oservice. 2)ESB应该接收令牌并将令牌添加到来自客户端的消息中,然后将其转发给Oservice。
3) The Oservice receives message from ESB, validates the token and replies with correct content to ESB and ESB will forward the reply to the client. 3)Oservice从ESB接收消息,验证令牌并将正确内容的答复发送给ESB,ESB将把答复转发给客户端。
I was trying to find out whether OAuth mediator does this, but wasn't successful, since documentation is rather short for the OAuth mediator. 我试图找出OAuth中介程序是否执行此操作,但未成功,因为OAuth中介程序的文档相当简短。 Does anyone have an idea how to deal with this scenario? 有谁知道如何应对这种情况?
Thanks a lot! 非常感谢!
EDIT: 编辑:
The goal is to use the ESB to expose a secured service as not secured to clients. 目标是使用ESB将不对客户端安全的安全服务公开。 I hope this clarifies a bit. 我希望这可以澄清一点。
OAuth mediator can only be used to validate the OAuth access token which comes with the request. OAuth中介者只能用于验证请求随附的OAuth访问令牌。 In your use case the back-end REST service is secured with OAuth and the request which comes via the ESB should have the access token. 在您的用例中,后端REST服务由OAuth保护,并且通过ESB发出的请求应具有访问令牌。 In this case OAuth mediator is of no use since token validation happens at the backend, not at ESB. 在这种情况下,OAuth中介没有用,因为令牌验证发生在后端而不是ESB。 This article explains how OAuth works. 此文章解释的OAuth如何工作的。 In step 2 and 3 you will anyway need human intervention to authenticate the resource owner which is not designed to be done programmatically. 在第2步和第3步中,无论如何,您都需要人工干预来认证资源所有者,而这并不是通过编程来完成的。 So your complete requirement does not seem to be valid because the final resource is accessed by the application, not the resource owner. 因此,您的完整要求似乎无效,因为最终资源是由应用程序而非资源所有者访问的。
However I think some part of your requirement can be fulfilled. 但是我认为您的要求中的某些部分可以满足。 Say you have two REST APIs API1 and API2 in ESB. 假设您在ESB中有两个REST API API1和API2。
Hope this helps 希望这可以帮助
In your case you may use OAuth2 resource owner credentials grant type which is used when there is a high trust with the application using the resource owner credentials. 在您的情况下,您可以使用OAuth2资源所有者凭证授予类型,该类型在使用资源所有者凭证对应用程序高度信任时使用。
Hope it helps. 希望能帮助到你。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.