Open bajiat opened 8 years ago
@bajiat 1) For OAuth2 protocol we can have few scenarios of authentication, I suppose we no need support all of them?:
a) "Grant Type: Authorization Code": User redirects to API website and see what kind of credentials and to which app he will give access. b) "Grant Type: Implicit": used for mobile apps. c) "Grant Type: Resource Owner Password Credentials": By username and password. d) "Grant Type: Client Credentials": application a way to access its own service account or resources that not require particular user access_token but have limits.
All above scenarios described in details here https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
2) Are we need UI for that feature? In the end of authentication flow we will get access_token, so I suppose we no need any UI?
After research options where we need implement OAuth2 Authorization. Will be much better implement it on "platform" side. That will give us more flexibilities for support any number api-prixies, without have OAuth2 Authorization feature on them.
We will need allow user set new settings per api-backend:
In both cases we will need cover by SSL "platform" (Authorization) and "api-umbrella" .
Pros:
Cons:
@ilarimikkonen what is your opinion about this?
there is already an OAUTH support in api umbrella, made by ficodes. We need to study this to see how we can leverage this in our platform
Study the options for supporting OAuth2 for API proxy authentication (for the purpose of authenticating a user for closed APIs). Investigate whether we will need to contribute to Api Umbrella or whether we can support OAuth2 authentication through Apinf layer only. The assumption is that authentication happens in the proxy. Document the conclusions and estimate the effort needed.
Please note that we are not discussing authentication into Apinf, only for APIs.
See related issue in Api Umbrella: https://github.com/NREL/api-umbrella/issues/38
Related user story
Related to #570
Definition of done