Hi All, I'm initiating this mail thread to discuss more about JWT token revocation feature we are planning to implement for API Manager micro-gateway. In API Manager micro-gateway we do support both oauth access tokens and JWT access tokens. When we use OAuth access tokens we can revoke them and make it effect immediately. Since all OAuth tokens geting validated with key manager revoked tokens will fail validation. When we use JWT token we do token validation within gateway itself without calling key manager or external party. Since JWT is self contained one we are basically trust its content as long as token not expired and signature valid. Then it will be a problem.
So we will need to have some mechanism to propagate revoked token details to micro-gateways as well. Since self contained token revocation is ineffective(there can be multiple token contents for same valid JTI due to generated time and signature changes) most suitable way of doing this is using JTI to identify revoked tokens. When JWT revoked we need to revoke it using JTI. If we can send revoked JTI list to micro-gateway then we can check that as part of key validation process. We need to find a way to send revoked JTI to microgateways, Pub/sub model - all gateways need to subscribe to topic and get updated about revoked tokens. Pull Model - micro-gateways will call key manager or management server and get update about revoked tokens Push Model - Management server or key manager plugin will call all deployed micro services and send revoked JWT list. Each of these methods will have their own advantages and disadvantages. Lets use this mail to discuss those in detail and come to conclusion. Thanks, sanjeewa. -- *Sanjeewa Malalgoda* Software Architect | Associate Director, Engineering - WSO2 Inc. (m) +94 712933253 | (e) [email protected] | (b) Blogger <http://sanjeewamalalgoda.blogspot.com>, Medium <https://medium.com/@sanjeewa190> GET INTEGRATION AGILE <https://wso2.com/signature> Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
