Hi Johann, 1. For clients who are willing to change the client side slightly, we can > use the following format: > *base64((base64(client_id:username)):base64(client_secret:password))* >
The problem of having this kind of format is that the clients who really want the Basic Authentication support might be reluctant to change the logic in the code generating the basic auth header just to support APIM-Gateway. The customers who can change their logic would easily choose the OAuth support instead of using Basic Authentication. One option would be to allow users to send a custom header containing the client id which requires a lesser logical change at their code level. Even this option will arise the need for dynamic headers to support multi-tenants as well which is a considerable change. Best regards, Chamod. On Fri, Mar 8, 2019 at 2:33 PM Chamod Samarajeewa <[email protected]> wrote: > Are we caching the decision? >> > > Yes. We are hoping to use a caching mechanism. > > On Fri, Mar 8, 2019 at 2:29 PM Harsha Kumara <[email protected]> wrote: > >> >> >> On Fri, Mar 8, 2019 at 3:56 AM Chamod Samarajeewa <[email protected]> >> wrote: >> >>> Hi Harsha, >>> >>> In the current implementation, we are not calling a token endpoint. We >>> directly validate basic auth credentials using RemoteUserStoreManager admin >>> service. Therefore, no hardcoded consumer key and password is used. >>> >> Are we caching the decision? >> >>> >>> Best Regards, >>> Chamod. >>> >>> On Fri, Mar 8, 2019 at 2:18 PM Harsha Kumara <[email protected]> wrote: >>> >>>> @Chamod Samarajeewa <[email protected]> can you share current >>>> implementation details? Is you basic authentication handler, I assume you >>>> calling token endpoint with hard coded consumer key and password. We should >>>> be able to support Johann's suggestion with Option 1. >>>> >>>> On Fri, Mar 8, 2019 at 3:20 AM Harsha Kumara <[email protected]> wrote: >>>> >>>>> Is your requirement is to provide basic authentication via clientId >>>>> and clientSecret? For the microgateway, it will required to validate the >>>>> this by connecting to the key manager and bring the throttling information >>>>> and etc which will require another API. Else at micro gateway it will >>>>> required to generate a token using clientd and secret and resume the flow. >>>>> >>>>> On Fri, Mar 8, 2019 at 2:28 AM Johann Nallathamby <[email protected]> >>>>> wrote: >>>>> >>>>>> *[sending this mail again because previous one wasn't copied to >>>>>> [email protected] <[email protected]>]* >>>>>> >>>>>> Hi Nuwan, Hi Harsha, Hi Chamod, >>>>>> >>>>>> An additional thought here. Most of the times customers who ask for >>>>>> basic authentication support are the customers who need to support legacy >>>>>> external applications I believe; not so much the internal applications. >>>>>> Because, there can be many external parties and they cannot ask all those >>>>>> parties to change. For example, mobile apps that take username/password >>>>>> to >>>>>> be changes to OAuth2. >>>>>> >>>>>> In those cases it could be also useful to track all these "clients"; >>>>>> meaning applying throttling and analytics. If we go with only >>>>>> username/password I believe we can't get that capability, because our >>>>>> throttling and analytics is coupled to OAuth2 client_id. Hence can we >>>>>> provide the following improvements. >>>>>> >>>>>> 1. For clients who are willing to change the client side slightly, we >>>>>> can use the following format: >>>>>> *base64((base64(client_id:username)):base64(client_secret:password))* >>>>>> I am assuming our client_id and client_secret doesn't contain ":" >>>>>> (colons). There can be many ways of doing this. So good if we can provide >>>>>> an extension point to extract the client credentials. >>>>>> >>>>>> 2. For clients who are not willing to change the client side at all, >>>>>> generate a blanket application from the gateway on first use of any such >>>>>> legacy application, to capture all such clients under one internal >>>>>> client_id, to apply analytics and throttling considering all those apps >>>>>> as >>>>>> one. I suppose this will at least separate the non-trusted apps from >>>>>> trusted apps, to minimize breaches. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> Regards, >>>>>> Johann. >>>>>> >>>>>> On Tue, Mar 5, 2019 at 4:41 PM Chamod Samarajeewa <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> ---------- Forwarded message --------- >>>>>>> From: Chamod Samarajeewa <[email protected]> >>>>>>> Date: Tue, Mar 5, 2019 at 4:35 PM >>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>> To: Nadeesha Gamage <[email protected]> >>>>>>> Cc: Harsha Kumara <[email protected]>, <[email protected]>, >>>>>>> Nuwan Dias <[email protected]>, APIM Team <[email protected]> >>>>>>> >>>>>>> >>>>>>> Hi Nadeesha, >>>>>>> >>>>>>> How will this impact statistics? Will it be possible to get usage >>>>>>>> statistics even if they use basic authentication? >>>>>>>> >>>>>>> >>>>>>> Yes, can get the usage statistics using the username and the api. >>>>>>> >>>>>>> I would also like to know when this feature would be available. >>>>>>> >>>>>>> >>>>>>> Within Q2 and Q3 time frame. >>>>>>> >>>>>>> Thank you.Best Regards. >>>>>>> Chamod. >>>>>>> >>>>>>> On Tue, Mar 5, 2019 at 3:32 PM Nadeesha Gamage <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Chamod, >>>>>>>> I would also like to know when this feature would be available. >>>>>>>> >>>>>>>> Nadeesha >>>>>>>> >>>>>>>> On Tue, Mar 5, 2019 at 3:30 PM Nadeesha Gamage <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Chamod, >>>>>>>>> How will this impact statistics? Will it be possible to get usage >>>>>>>>> statistics even if they use basic authentication? >>>>>>>>> >>>>>>>>> Nadeesha >>>>>>>>> >>>>>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Chamod, >>>>>>>>>> >>>>>>>>>> Can user choose to expose API either OAuth or Basic >>>>>>>>>> authentication with this implementation? >>>>>>>>>> >>>>>>>>>> We need to provide basic authentication agaist user store >>>>>>>>>> configured in the key manager. Because most of the timee, gateway >>>>>>>>>> won't >>>>>>>>>> share user stores. Please add the local user store authentication >>>>>>>>>> support >>>>>>>>>> as well. We need to look for possible caching mechanism for this. >>>>>>>>>> >>>>>>>>>> Since we do have mutual authentication as a security scheme, >>>>>>>>>> check the best way of providing the basic authentication >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Harsha >>>>>>>>>> >>>>>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Adding [email protected]. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------- Forwarded message --------- >>>>>>>>>>> From: Nuwan Dias <[email protected]> >>>>>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>>>>> To: Chamod Samarajeewa <[email protected]> >>>>>>>>>>> Cc: Architecture Team <[email protected]>, APIM Team < >>>>>>>>>>> [email protected]> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Chamod, this email should be sent to [email protected]. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> NuwanD. >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi All, >>>>>>>>>>>> >>>>>>>>>>>> I have included the information in the Github issue here as >>>>>>>>>>>> well. >>>>>>>>>>>> >>>>>>>>>>>> *Requirements* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Provide authentication for APIM Gateway with basic >>>>>>>>>>>> authentication which uses usernames and passwords. >>>>>>>>>>>> >>>>>>>>>>>> *Introduction* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Providing feature of enabling basic authentication security >>>>>>>>>>>> schema to product APIM Gateway along with OAuth2 token-based >>>>>>>>>>>> authentication. The user will be benefited with using only OAuth2 >>>>>>>>>>>> token >>>>>>>>>>>> based authentication alone, using basic authentication alone and >>>>>>>>>>>> using both >>>>>>>>>>>> schemas at the same time. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *Approach* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>>>>> >>>>>>>>>>>> curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu >>>>>>>>>>>> " -H "accept: application/json" -H "Authorization: Basic $(echo >>>>>>>>>>>> -n username:password | base64)" >>>>>>>>>>>> >>>>>>>>>>>> The API Authentication Handler will forward the request to >>>>>>>>>>>> Basic Auth Authenticator or OAuth Authenticator based on the >>>>>>>>>>>> authorization >>>>>>>>>>>> header of the request. >>>>>>>>>>>> >>>>>>>>>>>> Thank you. Regards. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi All, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>>>>> provide Basic Authentication support. You can find the details in >>>>>>>>>>>>> the >>>>>>>>>>>>> following Github issue [1]. >>>>>>>>>>>>> >>>>>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>>>>> >>>>>>>>>>>>> Best regards, >>>>>>>>>>>>> Chamod. >>>>>>>>>>>>> >>>>>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>>>>> -- >>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>>>>> (m) +94 777 775 729 | (e) [email protected] >>>>>>>>>>> [image: Signature.jpg] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Harsha Kumara* >>>>>>>>>> >>>>>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>>>>> Mobile: +94775505618 >>>>>>>>>> Email: [email protected] >>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nadeesha Gamage >>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>> T : +94 77 394 5706 >>>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Nadeesha Gamage >>>>>>>> Senior Lead Solutions Engineer >>>>>>>> T : +94 77 394 5706 >>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>>> Architect | WSO2 Inc. >>>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >>>>>> [image: Signature.jpg] >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Associate Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> >>>> *Harsha Kumara* >>>> >>>> Associate Technical Lead, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Email: [email protected] >>>> Blog: harshcreationz.blogspot.com >>>> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: [email protected] <[email protected]> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Associate Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Chamod Samarajeewa | Software Engineer | WSO2 Inc. > (m) +94710397382 | Email: [email protected] <[email protected]> > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Chamod Samarajeewa | Software Engineer | WSO2 Inc. (m) +94710397382 | Email: [email protected] <[email protected]> GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
