I'm creating a webservice API using RAML.
I've created RAML with two security schemes
- OAuth 2.0
- Custom
My first approach was to handle authorization on the basis of request parameter in which I was sending a special parameter inside my request and then delegating authorization task to either one of authorization engines. But it didn't work, when a request was made to OAuth server it threw Null Pointer Exception.
Then I came to know that authorization request for different authorization scheme should have different URIs e.g. if request for oAuth is made then URI should be like /api/oauth2/authorize?parameters and for other scheme say oauth 1.0 can be /api/oauth1/authorize?parameters
To implement this I added two APIkit router flows with different URI patterns.
The first APIKit flow in the attached image is for custom authorization and second one is for OAuth. As can be seen from the image, I've added OAuth validator before APIkit router in second flow.
I wanted to know if this is right approach to put OAuth validator at that place, so that each request can be authenticated? Or should OAuth validator be the first element of each resource flow so that after a request is made OAuth validates request for individual resource. I've also read somewhere that in OAuth, first the request is authenticated and then the access to protected resource is allowed, in that case I guess my approach of adding OAuth validator before APIKit router is correct. However, I'm not sure about it and wanted a second advice in this whole scenario.
Thank you.
