Hi, We can use self-contained access tokens [1] for key validation. This is already supported in latest WSO2 Identity Server. Basic idea is that token itself contains the relevant information to validate the token and this avoids outgoing calls for validating tokens.
[1] - https://medium.com/@hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6 Thank you! On Mon, Jul 31, 2017 at 2:51 PM, Sanjeewa Malalgoda <[email protected]> wrote: > > > On Fri, Jul 28, 2017 at 1:12 PM, Sabeena Kumrawadu <[email protected]> > wrote: > >> Hi all, >> >> APIM V3 supports micro API Gateway. With the micro API Gateway we are >> supporting gateway to run offline mode. In a normal API Gateway, a call is >> made to the APIM core at the gateway initialization time, to retrieve the >> data, as depicted in the diagram below. >> >> [image: Screenshot from 2017-07-26 17-16-48.png] >> >> Also, normal API Gateway will call keymanager introspect call to validate >> OAuth token which is hard to run as offline mode. >> >> >> In the offline mode, the gateway maintains an API registry, where the >> relevant information is loaded at the gateway startup, either from the file >> system or from an external APIM deployment (ex. API cloud). As the initial >> phase of the project we are going to implement to load the gateway from >> a local file system. The data here is stored as JSON objects, and are kept >> in separate folders, as shown in the diagram below.The file system is >> stored in a folder structure, where it contains subfolders for each of >> keys, subscriptions, applications, endpoints etc. >> >> >> >> >> [image: Screenshot from 2017-07-27 14-17-02.png] >> Here we need to write a bootstrap script, which will initialize API >> gateway from local file system or retrieve the data from the API cloud. In >> this manner, the cache is loaded and the gateway totally relies on it, so >> now the gateway itself has the capability to validate the access token. >> Moreover the gateway will not call the APIM Core at the gateway >> initialization time, or any other APIM component. The gateway will run as a >> standalone component. >> >> It is also planned to use a JWT as the next step of this implementation, >> that is to allow the user to make a JWT-attached API call to the gateway. >> Once the user sends the JWT with the API call, the gateway should be able >> to authenticate the user, using the public key. >> > Supporting JWT based authentication/ user identification is first class > feature and there is nothing to to do with offline gateways IMO. If we use > API keys concept then authorized user will be available in validation > information. > >> >> >> As with now, once the offline API gateway receives any API call, it will >> be validated via the already existing file system as below. >> > We may not need file system here. API gateway have its own way of caching > validation information and subscription data. If we can utilize same(with > no expiry time) then we do not need additional layer. Then we will not need > additional implementation for this. What off line mode need to do is simply > feed cache. There can be edge cases where we have large number of entries > which cause cache evictions. > > Are we going to engage different set of handlers for offline gateways? Or > modify same handlers to support gateway mode as well? > > Thanks, > sanjeewa. > >> [image: Screenshot from 2017-07-27 17-09-15.png] >> >> >> Note: >> >> - Throttling is not handled in the offline mode. >> - While in the offline mode, the Gateway will not receive any >> messages from the JMS topic, on API create/update. >> >> >> Feedback on the improvement for the design is much appreciated. >> >> Thank you, >> Best Regards. >> >> -- >> *Sabeena Kumarawadu* | Software Engineering Intern >> WSO2 Lanka (Pvt) Ltd. >> #20, Palm Grove, Colombo 03, Sri Lanka >> Mobile: +94 71 0372856 <071%20037%202856> >> Email: [email protected] >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> >> > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 <+94%2071%20306%208779> > > <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. > blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> > > > -- *Pubudu Gunatilaka* Committer and PMC Member - Apache Stratos Software Engineer WSO2, Inc.: http://wso2.com mobile : +94774078049 <%2B94772207163>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
