Hi all, What we have currently decided is to add a property to the APIAuthenticationHandler(in the synapse-config) which declares a Base64 encoded JSON object. This JSON object contains scopes and roles of all the resources in the API. So that we can access the property value at the handler and check the roles of the user with the roles which are mapped to the scopes of the resource request. Thank you.
Best regards, Chamod. On Tue, Feb 26, 2019 at 11:58 AM Rajith Roshan <[email protected]> wrote: > What if we include the scopes as properties when generating synapse > definition. In each resource we can add properties where property key > identifies the resource uniquely and property value specifies the scopes. > In synapse config if the same resource path is used with multiple http > methods, then only one <resource> tag will be created. So in property key > value we should incorporate http method and resource path both in order to > uniquely identify the resource. > > On Tue, Feb 26, 2019 at 11:13 AM Chathura Ekanayake <[email protected]> > wrote: > >> @Chamod Samarajeewa <[email protected]> if we send username, password and >> resource to the KM, can't we get the required result from a single call to >> KM? >> >> Agree with Nuwan that we can reduce a DB call at KM if we store scopes in >> synapse definition. Then we can sent username, password and scope (instead >> of resource) to the KM. >> >> On Thu, Feb 21, 2019 at 2:33 PM Nuwan Dias <[email protected]> wrote: >> >>> Yes, if we can maintain the resources and their respective scopes at the >>> synapse definition, we can avoid doing another call to KM (and the DB) at >>> the point of token validation. >>> >>> Also Chamod I guess we will have to come up with a design of how to keep >>> those information in the synapse XML. >>> >>> On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> We have currently used the AuthenticationAdmin service to authenticate >>>> a user given the username and password(Basic Authentication). The next step >>>> is to validate whether the scopes bound to a resource are matched with the >>>> user roles. In this case, we might have to access the KeyManager several >>>> times as mentioned below. >>>> >>>> 1) Validate user based on username and password >>>> 2) To check whether the resource has a scope and if so request the >>>> scopes >>>> 3) Request user roles if scopes are bound to the resource >>>> >>>> We thought we can minimize the performance degradation which can happen >>>> due to multiple requests to the Key Manager as below. >>>> >>>> *Solution :* >>>> >>>> When a user publishes an API, the scopes bound to the API should be >>>> added to the Synapse-config. Then, at the runtime we can read the synapse >>>> configuration of API to check whether the resource has a scope bound and if >>>> so what are the scopes without calling the Key Manager. >>>> >>>> I would really appreciate any feedback. Thank you. >>>> >>>> Best regards, >>>> Chamod. >>>> >>>> >>>> On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[email protected]> >>>> wrote: >>>> >>>>> Hi Harsha, >>>>> >>>>> Yes, the user can expose API either OAuth, Basic auth or even both >>>>> with this implementation. Thank you. >>>>> >>>>> Best Regards, >>>>> Chamod. >>>>> >>>>> On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chamod, >>>>>> >>>>>> Can user choose to expose API either OAuth or Basic authentication >>>>>> with this implementation? >>>>>> >>>>>> We need to provide basic authentication agaist user store configured >>>>>> in the key manager. Because most of the timee, gateway won't share user >>>>>> stores. Please add the local user store authentication support as well. >>>>>> We >>>>>> need to look for possible caching mechanism for this. >>>>>> >>>>>> Since we do have mutual authentication as a security scheme, check >>>>>> the best way of providing the basic authentication >>>>>> >>>>>> Thanks, >>>>>> Harsha >>>>>> >>>>>> On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Adding [email protected] >>>>>>> >>>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Chamod, >>>>>>>> >>>>>>>> Can user choose to expose API either OAuth or Basic authentication >>>>>>>> with this implementation? >>>>>>>> >>>>>>>> We need to provide basic authentication agaist user store >>>>>>>> configured in the key manager. Because most of the timee, gateway won't >>>>>>>> share user stores. Please add the local user store authentication >>>>>>>> support >>>>>>>> as well. We need to look for possible caching mechanism for this. >>>>>>>> >>>>>>>> Since we do have mutual authentication as a security scheme, check >>>>>>>> the best way of providing the basic authentication >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Harsha >>>>>>>> >>>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Adding [email protected]. >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------- Forwarded message --------- >>>>>>>>> From: Nuwan Dias <[email protected]> >>>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>>> To: Chamod Samarajeewa <[email protected]> >>>>>>>>> Cc: Architecture Team <[email protected]>, APIM Team < >>>>>>>>> [email protected]> >>>>>>>>> >>>>>>>>> >>>>>>>>> Chamod, this email should be sent to [email protected]. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> NuwanD. >>>>>>>>> >>>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I have included the information in the Github issue here as well. >>>>>>>>>> >>>>>>>>>> *Requirements* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Provide authentication for APIM Gateway with basic authentication >>>>>>>>>> which uses usernames and passwords. >>>>>>>>>> >>>>>>>>>> *Introduction* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Providing feature of enabling basic authentication security >>>>>>>>>> schema to product APIM Gateway along with OAuth2 token-based >>>>>>>>>> authentication. The user will be benefited with using only OAuth2 >>>>>>>>>> token >>>>>>>>>> based authentication alone, using basic authentication alone and >>>>>>>>>> using both >>>>>>>>>> schemas at the same time. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Approach* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>>> >>>>>>>>>> curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu"; >>>>>>>>>> -H "accept: application/json" -H "Authorization: Basic $(echo -n >>>>>>>>>> username:password | base64)" >>>>>>>>>> >>>>>>>>>> The API Authentication Handler will forward the request to Basic >>>>>>>>>> Auth Authenticator or OAuth Authenticator based on the authorization >>>>>>>>>> header >>>>>>>>>> of the request. >>>>>>>>>> >>>>>>>>>> Thank you. Regards. >>>>>>>>>> >>>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi All, >>>>>>>>>>> >>>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>>> provide Basic Authentication support. You can find the details in >>>>>>>>>>> the >>>>>>>>>>> following Github issue [1]. >>>>>>>>>>> >>>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> Chamod. >>>>>>>>>>> >>>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>>> -- >>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>>> (m) +94 777 775 729 | (e) [email protected] >>>>>>>>> [image: Signature.jpg] >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Harsha Kumara* >>>>>>>> >>>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>>> Mobile: +94775505618 >>>>>>>> Email: [email protected] >>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Harsha Kumara* >>>>>> >>>>>> Associate Technical Lead, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Email: [email protected] >>>>>> Blog: harshcreationz.blogspot.com >>>>>> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> *Nuwan Dias* | Director | WSO2 Inc. >>> (m) +94 777 775 729 | (e) [email protected] >>> [image: Signature.jpg] >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > *Rajith Roshan* | Senior Software Engineer | WSO2 Inc. > (m) +94-717-064-214 | (e) [email protected] <[email protected]> > > <https://wso2.com/signature> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Chamod Samarajeewa | Software Engineer | WSO2 Inc. (m) +94710397382 | Email: [email protected] <[email protected]> GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
