[+Roberto Monteiro <[email protected]>,+Fabio Gonçalves <[email protected]>,+Joao Emilio <[email protected]>]
On Wed, Mar 13, 2019 at 11:04 AM Chamod Samarajeewa <[email protected]> wrote: > Hi Johann, > > 1. For clients who are willing to change the client side slightly, we can >> use the following format: >> *base64((base64(client_id:username)):base64(client_secret:password))* >> > > The problem of having this kind of format is that the clients who really > want the Basic Authentication support might be reluctant to change the > logic in the code generating the basic auth header just to support > APIM-Gateway. The customers who can change their logic would easily choose > the OAuth support instead of using Basic Authentication. > > One option would be to allow users to send a custom header containing the > client id which requires a lesser logical change at their code level. Even > this option will arise the need for dynamic headers to support > multi-tenants as well which is a considerable change. > > Best regards, > Chamod. > > On Fri, Mar 8, 2019 at 2:33 PM Chamod Samarajeewa <[email protected]> wrote: > >> Are we caching the decision? >>> >> >> Yes. We are hoping to use a caching mechanism. >> >> On Fri, Mar 8, 2019 at 2:29 PM Harsha Kumara <[email protected]> wrote: >> >>> >>> >>> On Fri, Mar 8, 2019 at 3:56 AM Chamod Samarajeewa <[email protected]> >>> wrote: >>> >>>> Hi Harsha, >>>> >>>> In the current implementation, we are not calling a token endpoint. We >>>> directly validate basic auth credentials using RemoteUserStoreManager admin >>>> service. Therefore, no hardcoded consumer key and password is used. >>>> >>> Are we caching the decision? >>> >>>> >>>> Best Regards, >>>> Chamod. >>>> >>>> On Fri, Mar 8, 2019 at 2:18 PM Harsha Kumara <[email protected]> wrote: >>>> >>>>> @Chamod Samarajeewa <[email protected]> can you share current >>>>> implementation details? Is you basic authentication handler, I assume you >>>>> calling token endpoint with hard coded consumer key and password. We >>>>> should >>>>> be able to support Johann's suggestion with Option 1. >>>>> >>>>> On Fri, Mar 8, 2019 at 3:20 AM Harsha Kumara <[email protected]> wrote: >>>>> >>>>>> Is your requirement is to provide basic authentication via clientId >>>>>> and clientSecret? For the microgateway, it will required to validate the >>>>>> this by connecting to the key manager and bring the throttling >>>>>> information >>>>>> and etc which will require another API. Else at micro gateway it will >>>>>> required to generate a token using clientd and secret and resume the >>>>>> flow. >>>>>> >>>>>> On Fri, Mar 8, 2019 at 2:28 AM Johann Nallathamby <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> *[sending this mail again because previous one wasn't copied to >>>>>>> [email protected] <[email protected]>]* >>>>>>> >>>>>>> Hi Nuwan, Hi Harsha, Hi Chamod, >>>>>>> >>>>>>> An additional thought here. Most of the times customers who ask for >>>>>>> basic authentication support are the customers who need to support >>>>>>> legacy >>>>>>> external applications I believe; not so much the internal applications. >>>>>>> Because, there can be many external parties and they cannot ask all >>>>>>> those >>>>>>> parties to change. For example, mobile apps that take username/password >>>>>>> to >>>>>>> be changes to OAuth2. >>>>>>> >>>>>>> In those cases it could be also useful to track all these "clients"; >>>>>>> meaning applying throttling and analytics. If we go with only >>>>>>> username/password I believe we can't get that capability, because our >>>>>>> throttling and analytics is coupled to OAuth2 client_id. Hence can we >>>>>>> provide the following improvements. >>>>>>> >>>>>>> 1. For clients who are willing to change the client side slightly, >>>>>>> we can use the following format: >>>>>>> *base64((base64(client_id:username)):base64(client_secret:password))* >>>>>>> I am assuming our client_id and client_secret doesn't contain ":" >>>>>>> (colons). There can be many ways of doing this. So good if we can >>>>>>> provide >>>>>>> an extension point to extract the client credentials. >>>>>>> >>>>>>> 2. For clients who are not willing to change the client side at all, >>>>>>> generate a blanket application from the gateway on first use of any such >>>>>>> legacy application, to capture all such clients under one internal >>>>>>> client_id, to apply analytics and throttling considering all those apps >>>>>>> as >>>>>>> one. I suppose this will at least separate the non-trusted apps from >>>>>>> trusted apps, to minimize breaches. >>>>>>> >>>>>>> Thoughts? >>>>>>> >>>>>>> Regards, >>>>>>> Johann. >>>>>>> >>>>>>> On Tue, Mar 5, 2019 at 4:41 PM Chamod Samarajeewa <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------- Forwarded message --------- >>>>>>>> From: Chamod Samarajeewa <[email protected]> >>>>>>>> Date: Tue, Mar 5, 2019 at 4:35 PM >>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>> To: Nadeesha Gamage <[email protected]> >>>>>>>> Cc: Harsha Kumara <[email protected]>, <[email protected]>, >>>>>>>> Nuwan Dias <[email protected]>, APIM Team <[email protected]> >>>>>>>> >>>>>>>> >>>>>>>> Hi Nadeesha, >>>>>>>> >>>>>>>> How will this impact statistics? Will it be possible to get usage >>>>>>>>> statistics even if they use basic authentication? >>>>>>>>> >>>>>>>> >>>>>>>> Yes, can get the usage statistics using the username and the api. >>>>>>>> >>>>>>>> I would also like to know when this feature would be available. >>>>>>>> >>>>>>>> >>>>>>>> Within Q2 and Q3 time frame. >>>>>>>> >>>>>>>> Thank you.Best Regards. >>>>>>>> Chamod. >>>>>>>> >>>>>>>> On Tue, Mar 5, 2019 at 3:32 PM Nadeesha Gamage <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Chamod, >>>>>>>>> I would also like to know when this feature would be available. >>>>>>>>> >>>>>>>>> Nadeesha >>>>>>>>> >>>>>>>>> On Tue, Mar 5, 2019 at 3:30 PM Nadeesha Gamage <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Chamod, >>>>>>>>>> How will this impact statistics? Will it be possible to get usage >>>>>>>>>> statistics even if they use basic authentication? >>>>>>>>>> >>>>>>>>>> Nadeesha >>>>>>>>>> >>>>>>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Chamod, >>>>>>>>>>> >>>>>>>>>>> Can user choose to expose API either OAuth or Basic >>>>>>>>>>> authentication with this implementation? >>>>>>>>>>> >>>>>>>>>>> We need to provide basic authentication agaist user store >>>>>>>>>>> configured in the key manager. Because most of the timee, gateway >>>>>>>>>>> won't >>>>>>>>>>> share user stores. Please add the local user store authentication >>>>>>>>>>> support >>>>>>>>>>> as well. We need to look for possible caching mechanism for this. >>>>>>>>>>> >>>>>>>>>>> Since we do have mutual authentication as a security scheme, >>>>>>>>>>> check the best way of providing the basic authentication >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Harsha >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Adding [email protected]. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ---------- Forwarded message --------- >>>>>>>>>>>> From: Nuwan Dias <[email protected]> >>>>>>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>>>>>> To: Chamod Samarajeewa <[email protected]> >>>>>>>>>>>> Cc: Architecture Team <[email protected]>, APIM Team < >>>>>>>>>>>> [email protected]> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Chamod, this email should be sent to [email protected]. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> NuwanD. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi All, >>>>>>>>>>>>> >>>>>>>>>>>>> I have included the information in the Github issue here as >>>>>>>>>>>>> well. >>>>>>>>>>>>> >>>>>>>>>>>>> *Requirements* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Provide authentication for APIM Gateway with basic >>>>>>>>>>>>> authentication which uses usernames and passwords. >>>>>>>>>>>>> >>>>>>>>>>>>> *Introduction* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Providing feature of enabling basic authentication security >>>>>>>>>>>>> schema to product APIM Gateway along with OAuth2 token-based >>>>>>>>>>>>> authentication. The user will be benefited with using only OAuth2 >>>>>>>>>>>>> token >>>>>>>>>>>>> based authentication alone, using basic authentication alone and >>>>>>>>>>>>> using both >>>>>>>>>>>>> schemas at the same time. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *Approach* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>>>>>> >>>>>>>>>>>>> curl -k -X GET " >>>>>>>>>>>>> https://10.100.0.201:8243/pizzashack/1.0.0/menu"; -H "accept: >>>>>>>>>>>>> application/json" -H "Authorization: Basic $(echo -n >>>>>>>>>>>>> username:password | base64)" >>>>>>>>>>>>> >>>>>>>>>>>>> The API Authentication Handler will forward the request to >>>>>>>>>>>>> Basic Auth Authenticator or OAuth Authenticator based on the >>>>>>>>>>>>> authorization >>>>>>>>>>>>> header of the request. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you. Regards. >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>>>>>> provide Basic Authentication support. You can find the details >>>>>>>>>>>>>> in the >>>>>>>>>>>>>> following Github issue [1]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>> Chamod. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>>>>>> (m) +94 777 775 729 | (e) [email protected] >>>>>>>>>>>> [image: Signature.jpg] >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Harsha Kumara* >>>>>>>>>>> >>>>>>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>>>>>> Mobile: +94775505618 >>>>>>>>>>> Email: [email protected] >>>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>>> >>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Nadeesha Gamage >>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>> T : +94 77 394 5706 >>>>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nadeesha Gamage >>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>> T : +94 77 394 5706 >>>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>>>> Architect | WSO2 Inc. >>>>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >>>>>>> [image: Signature.jpg] >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Harsha Kumara* >>>>>> >>>>>> Associate Technical Lead, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Email: [email protected] >>>>>> Blog: harshcreationz.blogspot.com >>>>>> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Associate Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Associate Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >> (m) +94710397382 | Email: [email protected] <[email protected]> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Chamod Samarajeewa | Software Engineer | WSO2 Inc. > (m) +94710397382 | Email: [email protected] <[email protected]> > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
