[Apiman-user] applications without plans?
Eric Wittmann
eric.wittmann at redhat.com
Wed Oct 14 09:57:37 EDT 2015
That's an imaginative use of apiman and it should work precisely as you
have described it. You are right that if you use applications, then you
must also have at least one plan. The API key is necessary in this
situation because the gateway will need to know which application is
calling the service (so that it can pick the right set of policies to
apply).
Your only other solution would be a custom authentication policy, which
would obviously allow you to do whatever you wanted. In that scenario,
you will presumably still need to identify the application/organization
in some way. For example, each application would need to identify
itself via a custom http header, or a query param, etc.
-Eric
On 10/14/2015 9:46 AM, Tim Dudgeon wrote:
> I'm wanting to do something that may not be possible :-)
>
> I have a service that I want to offer to multiple organisations.
> I want the users of each organisation to authenticate according to the
> needs or that organisation (e.g. against their own LDAP server).
> I do not want to have to handle API keys as I have lots of organisations
> and lots of services and lots of versions of those services, so think
> managing those keys will fast become a nightmare. I am happy to use the
> service as a public service, as long as the user is authenticated and
> authorized.
>
> e.g. I think what I want to do is create an application in each
> organisation with a policy that does the authentication, and use a
> public service that does the authorization based on expected role
> granted to the user.
> But the only way I can see to do this is to use plans, which involve the
> need for API keys.
>
> Any ways to do this?
>
> Tim
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
More information about the Apiman-user
mailing list