堆栈内存溢出
  简体   繁体   English

使用WSO2 ESB将OAuth安全的REST服务公开为不安全

[英]Exposing OAuth secured REST service as non secured using WSO2 ESB

 原文  2014-11-06 16:14:31       security/ rest/ oauth/ token/ wso2esb

问题描述

I have an OAuth secured REST service "Oservice". 我有一个OAuth安全的REST服务“ Oservice”。 The client (who wants to access OService) is not able to request a token at the service's token generator. 客户端(想要访问OService)无法在服务的令牌生成器处请求令牌。 I would like the WSO2 ESB to handle this for the client: 我希望WSO2 ESB为客户端处理此问题:

1) The ESB should have an API, which receives the request from the client, adds the name + password and sends this request to the token generator. 1)ESB应该具有一个API,该API接收来自客户端的请求,添加名称和密码,然后将此请求发送到令牌生成器。

2) The ESB should receive the token and add the token to the message from the client and forwards it to the Oservice. 2)ESB应该接收令牌并将令牌添加到来自客户端的消息中,然后将其转发给Oservice。

3) The Oservice receives message from ESB, validates the token and replies with correct content to ESB and ESB will forward the reply to the client. 3)Oservice从ESB接收消息,验证令牌并将正确内容的答复发送给ESB,ESB将把答复转发给客户端。

I was trying to find out whether OAuth mediator does this, but wasn't successful, since documentation is rather short for the OAuth mediator. 我试图找出OAuth中介程序是否执行此操作,但未成功,因为OAuth中介程序的文档相当简短。 Does anyone have an idea how to deal with this scenario? 有谁知道如何应对这种情况?

Thanks a lot! 非常感谢!

EDIT: 编辑:

The goal is to use the ESB to expose a secured service as not secured to clients. 目标是使用ESB将不对客户端安全的安全服务公开。 I hope this clarifies a bit. 我希望这可以澄清一点。

2 个解决方案

解决方案1
 0  2014-11-07 09:47:11

OAuth mediator can only be used to validate the OAuth access token which comes with the request. OAuth中介者只能用于验证请求随附的OAuth访问令牌。 In your use case the back-end REST service is secured with OAuth and the request which comes via the ESB should have the access token. 在您的用例中,后端REST服务由OAuth保护,并且通过ESB发出的请求应具有访问令牌。 In this case OAuth mediator is of no use since token validation happens at the backend, not at ESB. 在这种情况下,OAuth中介没有用,因为令牌验证发生在后端而不是ESB。 This article explains how OAuth works. 文章解释的OAuth如何工作的。 In step 2 and 3 you will anyway need human intervention to authenticate the resource owner which is not designed to be done programmatically. 在第2步和第3步中,无论如何,您都需要人工干预来认证资源所有者,而这并不是通过编程来完成的。 So your complete requirement does not seem to be valid because the final resource is accessed by the application, not the resource owner. 因此,您的完整要求似乎无效,因为最终资源是由应用程序而非资源所有者访问的。

However I think some part of your requirement can be fulfilled. 但是我认为您的要求中的某些部分可以满足。 Say you have two REST APIs API1 and API2 in ESB. 假设您在ESB中有两个REST API API1和API2。

  1. Client sends a request to API1 just to trigger the API. 客户端向API1发送请求只是为了触发API。
  2. API1 sends a request to IDP with Client ID, scope of authorization and callback URL which is URL of API2. API1向IDP发送一个带有客户端ID,授权范围和回调URL(即API2的URL)的请求。
  3. IDP will redirect the client to the authentication page where he will authenticate himself. IDP将客户端重定向到身份验证页面,在该页面中他将对自己进行身份验证。 At this point clients HTTP request is fulfilled. 此时,客户端HTTP请求已完成。
  4. IDP will send the Authorization code to API2. IDP会将授权代码发送到API2。
  5. API2 will use the Authorization code and client secrete to get the Access token from IDP. API2将使用授权码和客户端密码从IDP获取访问令牌。
  6. Once the Access token is received, API2 can access your Oservice and get the response/resource. 收到访问令牌后,API2即可访问您的Oservice并获取响应/资源。
  7. API2 will have to store the response somewhere like a file. API2必须将响应存储在类似文件的位置。
  8. The client can make another request to say API3 to retrieve it. 客户端可以发出另一个请求,要求说API3来检索它。

Hope this helps 希望这可以帮助

解决方案2
 0  2014-11-07 10:22:20

In your case you may use OAuth2 resource owner credentials grant type which is used when there is a high trust with the application using the resource owner credentials. 在您的情况下,您可以使用OAuth2资源所有者凭证授予类型,该类型在使用资源所有者凭证对应用程序高度信任时使用。

  1. Now you may expose the IDP OAuthService (which is a SOAP service) as REST say API1 at ESB. 现在您可以将IDP OAuthService(这是一种SOAP服务)作为ESB上的REST说API1公开。
  2. IDP OAuth service takes input as client id,client secret, resource owner username, resource owner password and grant type (=password) and returns access token with validity period. IDP OAuth服务将输入作为客户端ID,客户端机密,资源所有者的用户名,资源所有者的密码和授予类型(= password),并返回具有有效期的访问令牌。
  3. Now you may call API1 to get the access token and then use that token while calling other OAuth protected APIs. 现在,您可以调用API1来获取访问令牌,然后在调用其他OAuth保护的API时使用该令牌。

Hope it helps. 希望能帮助到你。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 WSO2 ESB安全代理端点 - WSO2 ESB Secured Proxy Endpoint 独立的Java代码来调用wso2安全的Web服务 - Standalone java code to invoke wso2 secured web service 访问使用OAUTH保护的REST API - Accessing REST APIs secured using OAUTH 有安全端点和非安全dualHttpBinding端点的wcf服务是否可行? - is a wcf service with secured endpoint and non secured dualHttpBinding endpoint possible? Websphere上的安全REST调用 - Secured REST call on Websphere 如何确保 api rest symfony? - How secured an api rest symfony? 安全的网络服务php / json - secured web service php/json 使用Java调用安全的Web服务 - Calling a secured Web Service in Java WSO2 ESB获取用户名 - WSO2 ESB Get Username 是一种安全的Web服务; 安全服务不支持测试仪功能 - is a secured web service; Tester feature is not supported for secured services
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM