On Tue, Mar 5, 2019 at 5:56 PM Johann Nallathamby <[email protected]> wrote:
> Also a related to question to this: > The latest version of IS supports service provider wise certificate > uploading for mutual TLS authentication and private key JWT authentication. > So I guess if APIM uses that feature internally to manage the mapping > between OAuth2 client and certificates, throttling and analytics will work > seamlessly even without the need of OAuth2 access tokens. > > Again currently I think the story is a little disconnected between IS and > API Manager. We need to revisit the full story here and fill the gaps. > 1. What IS have implemented is mutual TLS and private key JWT > authentication for token endpoint, which is what it hosts. > 2. API Manager has to implement securing APIs with mutual TLS and private > key JWT. > 3. Both will internally use the IS service provider certificate mapping > feature of IS. > +1 for supporting both authentication methods. In this case, does the APIM gateway use a separate gateway specific certificate to establish mutual TLS connection with KM? If we want to use the same client certificate for this connection, do we have to provide both private and public keys of the client to the gateway? > > Then the full story is complete I suppose. > > Any thoughts? > > [1] "[Architecture] OAuth clients based on a trusted CA" in > [email protected] > > Thanks & Regards, > Johann. > > On Tue, Mar 5, 2019 at 3:26 PM Johann Nallathamby <[email protected]> wrote: > >> APIM Team, >> >> In API Manager it seems like if we check the option to secure APIs using >> Mutual TLS security AND OAuth2 security for APIs, API Manager checks if >> either of the mechanisms are in place. There is no way to enforce both on >> an API. There are good number of customers who want to enforce both at the >> same time for APIs, for additional security. Naturally Mutual TLS is more >> secure than OAuth2 tokens, however for throttling and analytics to work we >> need to enforce OAuth2 as well. Otherwise customers could bypass throttling >> and analytics. >> >> I would have thought ticking both checkboxes means both have to be >> enforced. Isn't that a more reasonable behavior? Can we support both 'AND' >> and 'OR'? >> >> Thanks & Regards, >> Johann. >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >> [image: Signature.jpg] >> > > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] > [image: Signature.jpg] >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
