Hi all, Up to APIM 2.x.x (C4 implementation), APIM had its own key management component, and subscription validation was done by that component when a token validation request is received to the keymanager. But with C5 implementation, a vanilla Identity Server will be acting as the keymanager. Because of that, we can't do subscription validation at keymanger anymore.
Therefore, with C5, the plan is to do the subscription validation at gateway itself. But, since gateways don't have direct access to the database (as it should be able to run in DMZ), we should have a way to get subscription data to gateway nodes. Here is the suggested design. Gateways can receive subscription data in 2 ways. 1) Load all subscription data at server startup For this, APIM Core component will have a service to return all subscriptions of all APIs. 2) Load subscription data on-demand depending on the API requests it receives. For this, APIM Core component will have a service to return subscriptions of a given API. In either case, gateways store received subscription data in an in-memory data structure. Therefore, gateways should receive subscription updates (new subscriptions/unsubscribe notifications etc.) too. We are planning to do this using a JMS topic. (This will not be limited to JMS and will be configurable later.) When there are any updates to subscriptions, APIM Core component will add that information to a topic, to which gateways are subscribed to. Then gateways can update their subscription data which they have stored in memory. Then we will have a handler at the gateway (most probably the Key validation handler itself) to use stored subscription data to validate subscriptions of incoming requests. Note: The subscription data received by the gateway from APIM core will contain certain API and Application related information as well. The reason is that we have decided to generate JWT tokens at gateway nodes. So we need those data to include in the JWT. Thanks, -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
