Hi Harsha, Another problem is, if we are going to support both hardcoded credentials and normal OAuth2 access tokens, how do we restrict the clients who can use hardcoded credentials? Can we block based on client IP? I think this will also be an important question.
The option 1 I've proposed won't suffer from this problem as well, because we authenticate the client. Regards, Johann. On Fri, Mar 8, 2019 at 2:18 PM Harsha Kumara <[email protected]> wrote: > @Chamod Samarajeewa <[email protected]> can you share current > implementation details? Is you basic authentication handler, I assume you > calling token endpoint with hard coded consumer key and password. We should > be able to support Johann's suggestion with Option 1. > > On Fri, Mar 8, 2019 at 3:20 AM Harsha Kumara <[email protected]> wrote: > >> Is your requirement is to provide basic authentication via clientId and >> clientSecret? For the microgateway, it will required to validate the this >> by connecting to the key manager and bring the throttling information and >> etc which will require another API. Else at micro gateway it will required >> to generate a token using clientd and secret and resume the flow. >> >> On Fri, Mar 8, 2019 at 2:28 AM Johann Nallathamby <[email protected]> >> wrote: >> >>> *[sending this mail again because previous one wasn't copied to >>> [email protected] <[email protected]>]* >>> >>> Hi Nuwan, Hi Harsha, Hi Chamod, >>> >>> An additional thought here. Most of the times customers who ask for >>> basic authentication support are the customers who need to support legacy >>> external applications I believe; not so much the internal applications. >>> Because, there can be many external parties and they cannot ask all those >>> parties to change. For example, mobile apps that take username/password to >>> be changes to OAuth2. >>> >>> In those cases it could be also useful to track all these "clients"; >>> meaning applying throttling and analytics. If we go with only >>> username/password I believe we can't get that capability, because our >>> throttling and analytics is coupled to OAuth2 client_id. Hence can we >>> provide the following improvements. >>> >>> 1. For clients who are willing to change the client side slightly, we >>> can use the following format: >>> *base64((base64(client_id:username)):base64(client_secret:password))* >>> I am assuming our client_id and client_secret doesn't contain ":" >>> (colons). There can be many ways of doing this. So good if we can provide >>> an extension point to extract the client credentials. >>> >>> 2. For clients who are not willing to change the client side at all, >>> generate a blanket application from the gateway on first use of any such >>> legacy application, to capture all such clients under one internal >>> client_id, to apply analytics and throttling considering all those apps as >>> one. I suppose this will at least separate the non-trusted apps from >>> trusted apps, to minimize breaches. >>> >>> Thoughts? >>> >>> Regards, >>> Johann. >>> >>> On Tue, Mar 5, 2019 at 4:41 PM Chamod Samarajeewa <[email protected]> >>> wrote: >>> >>>> >>>> >>>> ---------- Forwarded message --------- >>>> From: Chamod Samarajeewa <[email protected]> >>>> Date: Tue, Mar 5, 2019 at 4:35 PM >>>> Subject: Re: Basic Authentication for APIM Gateway >>>> To: Nadeesha Gamage <[email protected]> >>>> Cc: Harsha Kumara <[email protected]>, <[email protected]>, Nuwan >>>> Dias <[email protected]>, APIM Team <[email protected]> >>>> >>>> >>>> Hi Nadeesha, >>>> >>>> How will this impact statistics? Will it be possible to get usage >>>>> statistics even if they use basic authentication? >>>>> >>>> >>>> Yes, can get the usage statistics using the username and the api. >>>> >>>> I would also like to know when this feature would be available. >>>> >>>> >>>> Within Q2 and Q3 time frame. >>>> >>>> Thank you.Best Regards. >>>> Chamod. >>>> >>>> On Tue, Mar 5, 2019 at 3:32 PM Nadeesha Gamage <[email protected]> >>>> wrote: >>>> >>>>> Hi Chamod, >>>>> I would also like to know when this feature would be available. >>>>> >>>>> Nadeesha >>>>> >>>>> On Tue, Mar 5, 2019 at 3:30 PM Nadeesha Gamage <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chamod, >>>>>> How will this impact statistics? Will it be possible to get usage >>>>>> statistics even if they use basic authentication? >>>>>> >>>>>> Nadeesha >>>>>> >>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Chamod, >>>>>>> >>>>>>> Can user choose to expose API either OAuth or Basic authentication >>>>>>> with this implementation? >>>>>>> >>>>>>> We need to provide basic authentication agaist user store configured >>>>>>> in the key manager. Because most of the timee, gateway won't share user >>>>>>> stores. Please add the local user store authentication support as well. >>>>>>> We >>>>>>> need to look for possible caching mechanism for this. >>>>>>> >>>>>>> Since we do have mutual authentication as a security scheme, check >>>>>>> the best way of providing the basic authentication >>>>>>> >>>>>>> Thanks, >>>>>>> Harsha >>>>>>> >>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Adding [email protected]. >>>>>>>> >>>>>>>> >>>>>>>> ---------- Forwarded message --------- >>>>>>>> From: Nuwan Dias <[email protected]> >>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>> To: Chamod Samarajeewa <[email protected]> >>>>>>>> Cc: Architecture Team <[email protected]>, APIM Team < >>>>>>>> [email protected]> >>>>>>>> >>>>>>>> >>>>>>>> Chamod, this email should be sent to [email protected]. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> NuwanD. >>>>>>>> >>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I have included the information in the Github issue here as well. >>>>>>>>> >>>>>>>>> *Requirements* >>>>>>>>> >>>>>>>>> >>>>>>>>> Provide authentication for APIM Gateway with basic authentication >>>>>>>>> which uses usernames and passwords. >>>>>>>>> >>>>>>>>> *Introduction* >>>>>>>>> >>>>>>>>> >>>>>>>>> Providing feature of enabling basic authentication security schema >>>>>>>>> to product APIM Gateway along with OAuth2 token-based authentication. >>>>>>>>> The >>>>>>>>> user will be benefited with using only OAuth2 token based >>>>>>>>> authentication >>>>>>>>> alone, using basic authentication alone and using both schemas at the >>>>>>>>> same >>>>>>>>> time. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Approach* >>>>>>>>> >>>>>>>>> >>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>> >>>>>>>>> curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu"; >>>>>>>>> -H "accept: application/json" -H "Authorization: Basic $(echo -n >>>>>>>>> username:password | base64)" >>>>>>>>> >>>>>>>>> The API Authentication Handler will forward the request to Basic >>>>>>>>> Auth Authenticator or OAuth Authenticator based on the authorization >>>>>>>>> header >>>>>>>>> of the request. >>>>>>>>> >>>>>>>>> Thank you. Regards. >>>>>>>>> >>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>> provide Basic Authentication support. You can find the details in the >>>>>>>>>> following Github issue [1]. >>>>>>>>>> >>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>> >>>>>>>>>> Best regards, >>>>>>>>>> Chamod. >>>>>>>>>> >>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>> (m) +94 777 775 729 | (e) [email protected] >>>>>>>> [image: Signature.jpg] >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: [email protected] >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nadeesha Gamage >>>>>> Senior Lead Solutions Engineer >>>>>> T : +94 77 394 5706 >>>>>> B : https://nadeesha678.wordpress.com/ >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nadeesha Gamage >>>>> Senior Lead Solutions Engineer >>>>> T : +94 77 394 5706 >>>>> B : https://nadeesha678.wordpress.com/ >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect >>> | WSO2 Inc. >>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >>> [image: Signature.jpg] >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Associate Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > > *Harsha Kumara* > > Associate Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
