Basic authentication for the APIs is a frequently requested functionality in the API-M. And as Johann and Chanaka have mentioned throttling and analytics shouldn't be overlooked when basic authentication is used.
When basic auth is used with OAuth2 there's no issue with this. My view on this is not to look for a backchannel way around this problem to achieve throttling somehow, such as by forcing the clients to send client id and secret in addition to the username and password or internally generate an access token. Instead, can't we have a simple throttling scheme independent of the token, at least for the basic auth? Of course in this way, not all throttling features will be usable such as the subscription level throttling. In this way, we won't be losing everything. On Mon, May 27, 2019 at 10:21 AM Chanaka Fernando <chana...@wso2.com> wrote: > Hi Chamod/All, > > As Johann pointed out, one of the key usages of this basic authentication > handler would be to support legacy applications which do not need to change > their implementations because there is an API Management layer introduced. > In this type of a scenario, just validating the credentials won't be enough > if we don't support throttling and analytics for these users. > > What if we improve the basic authentication handler to generate an access > token using password grant type with a common client_id for all the > requests which are coming with basic authentication and pass that token to > the subsequent handlers? > > Thanks, > Chanaka > > On Wed, Mar 27, 2019 at 1:33 PM Johann Nallathamby <joh...@wso2.com> > wrote: > >> [+Roberto Monteiro <robe...@wso2.com>,+Fabio Gonçalves <fa...@wso2.com>,+Joao >> Emilio <j...@wso2.com>] >> >> On Wed, Mar 13, 2019 at 11:04 AM Chamod Samarajeewa <cha...@wso2.com> >> wrote: >> >>> Hi Johann, >>> >>> 1. For clients who are willing to change the client side slightly, we >>>> can use the following format: >>>> *base64((base64(client_id:username)):base64(client_secret:password))* >>>> >>> >>> The problem of having this kind of format is that the clients who really >>> want the Basic Authentication support might be reluctant to change the >>> logic in the code generating the basic auth header just to support >>> APIM-Gateway. The customers who can change their logic would easily choose >>> the OAuth support instead of using Basic Authentication. >>> >>> One option would be to allow users to send a custom header containing >>> the client id which requires a lesser logical change at their code level. >>> Even this option will arise the need for dynamic headers to support >>> multi-tenants as well which is a considerable change. >>> >>> Best regards, >>> Chamod. >>> >>> On Fri, Mar 8, 2019 at 2:33 PM Chamod Samarajeewa <cha...@wso2.com> >>> wrote: >>> >>>> Are we caching the decision? >>>>> >>>> >>>> Yes. We are hoping to use a caching mechanism. >>>> >>>> On Fri, Mar 8, 2019 at 2:29 PM Harsha Kumara <hars...@wso2.com> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Mar 8, 2019 at 3:56 AM Chamod Samarajeewa <cha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Harsha, >>>>>> >>>>>> In the current implementation, we are not calling a token endpoint. >>>>>> We directly validate basic auth credentials using RemoteUserStoreManager >>>>>> admin service. Therefore, no hardcoded consumer key and password is used. >>>>>> >>>>> Are we caching the decision? >>>>> >>>>>> >>>>>> Best Regards, >>>>>> Chamod. >>>>>> >>>>>> On Fri, Mar 8, 2019 at 2:18 PM Harsha Kumara <hars...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> @Chamod Samarajeewa <cha...@wso2.com> can you share current >>>>>>> implementation details? Is you basic authentication handler, I assume >>>>>>> you >>>>>>> calling token endpoint with hard coded consumer key and password. We >>>>>>> should >>>>>>> be able to support Johann's suggestion with Option 1. >>>>>>> >>>>>>> On Fri, Mar 8, 2019 at 3:20 AM Harsha Kumara <hars...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Is your requirement is to provide basic authentication via clientId >>>>>>>> and clientSecret? For the microgateway, it will required to validate >>>>>>>> the >>>>>>>> this by connecting to the key manager and bring the throttling >>>>>>>> information >>>>>>>> and etc which will require another API. Else at micro gateway it will >>>>>>>> required to generate a token using clientd and secret and resume the >>>>>>>> flow. >>>>>>>> >>>>>>>> On Fri, Mar 8, 2019 at 2:28 AM Johann Nallathamby <joh...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> *[sending this mail again because previous one wasn't copied to >>>>>>>>> architecture@wso2.org <architecture@wso2.org>]* >>>>>>>>> >>>>>>>>> Hi Nuwan, Hi Harsha, Hi Chamod, >>>>>>>>> >>>>>>>>> An additional thought here. Most of the times customers who ask >>>>>>>>> for basic authentication support are the customers who need to support >>>>>>>>> legacy external applications I believe; not so much the internal >>>>>>>>> applications. Because, there can be many external parties and they >>>>>>>>> cannot >>>>>>>>> ask all those parties to change. For example, mobile apps that take >>>>>>>>> username/password to be changes to OAuth2. >>>>>>>>> >>>>>>>>> In those cases it could be also useful to track all these >>>>>>>>> "clients"; meaning applying throttling and analytics. If we go with >>>>>>>>> only >>>>>>>>> username/password I believe we can't get that capability, because our >>>>>>>>> throttling and analytics is coupled to OAuth2 client_id. Hence can we >>>>>>>>> provide the following improvements. >>>>>>>>> >>>>>>>>> 1. For clients who are willing to change the client side slightly, >>>>>>>>> we can use the following format: >>>>>>>>> >>>>>>>>> *base64((base64(client_id:username)):base64(client_secret:password))* >>>>>>>>> I am assuming our client_id and client_secret doesn't contain ":" >>>>>>>>> (colons). There can be many ways of doing this. So good if we can >>>>>>>>> provide >>>>>>>>> an extension point to extract the client credentials. >>>>>>>>> >>>>>>>>> 2. For clients who are not willing to change the client side at >>>>>>>>> all, generate a blanket application from the gateway on first use of >>>>>>>>> any >>>>>>>>> such legacy application, to capture all such clients under one >>>>>>>>> internal >>>>>>>>> client_id, to apply analytics and throttling considering all those >>>>>>>>> apps as >>>>>>>>> one. I suppose this will at least separate the non-trusted apps from >>>>>>>>> trusted apps, to minimize breaches. >>>>>>>>> >>>>>>>>> Thoughts? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Johann. >>>>>>>>> >>>>>>>>> On Tue, Mar 5, 2019 at 4:41 PM Chamod Samarajeewa <cha...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------- Forwarded message --------- >>>>>>>>>> From: Chamod Samarajeewa <cha...@wso2.com> >>>>>>>>>> Date: Tue, Mar 5, 2019 at 4:35 PM >>>>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>>>> To: Nadeesha Gamage <nadee...@wso2.com> >>>>>>>>>> Cc: Harsha Kumara <hars...@wso2.com>, <architect...@wso2.com>, >>>>>>>>>> Nuwan Dias <nuw...@wso2.com>, APIM Team <apim-gr...@wso2.com> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi Nadeesha, >>>>>>>>>> >>>>>>>>>> How will this impact statistics? Will it be possible to get usage >>>>>>>>>>> statistics even if they use basic authentication? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yes, can get the usage statistics using the username and the api. >>>>>>>>>> >>>>>>>>>> I would also like to know when this feature would be available. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Within Q2 and Q3 time frame. >>>>>>>>>> >>>>>>>>>> Thank you.Best Regards. >>>>>>>>>> Chamod. >>>>>>>>>> >>>>>>>>>> On Tue, Mar 5, 2019 at 3:32 PM Nadeesha Gamage <nadee...@wso2.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Chamod, >>>>>>>>>>> I would also like to know when this feature would be available. >>>>>>>>>>> >>>>>>>>>>> Nadeesha >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 5, 2019 at 3:30 PM Nadeesha Gamage < >>>>>>>>>>> nadee...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Chamod, >>>>>>>>>>>> How will this impact statistics? Will it be possible to get >>>>>>>>>>>> usage statistics even if they use basic authentication? >>>>>>>>>>>> >>>>>>>>>>>> Nadeesha >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <hars...@wso2.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Chamod, >>>>>>>>>>>>> >>>>>>>>>>>>> Can user choose to expose API either OAuth or Basic >>>>>>>>>>>>> authentication with this implementation? >>>>>>>>>>>>> >>>>>>>>>>>>> We need to provide basic authentication agaist user store >>>>>>>>>>>>> configured in the key manager. Because most of the timee, gateway >>>>>>>>>>>>> won't >>>>>>>>>>>>> share user stores. Please add the local user store authentication >>>>>>>>>>>>> support >>>>>>>>>>>>> as well. We need to look for possible caching mechanism for this. >>>>>>>>>>>>> >>>>>>>>>>>>> Since we do have mutual authentication as a security scheme, >>>>>>>>>>>>> check the best way of providing the basic authentication >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Harsha >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa < >>>>>>>>>>>>> cha...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Adding architect...@wso2.com. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------- Forwarded message --------- >>>>>>>>>>>>>> From: Nuwan Dias <nuw...@wso2.com> >>>>>>>>>>>>>> Date: Fri, Feb 15, 2019 at 3:01 PM >>>>>>>>>>>>>> Subject: Re: Basic Authentication for APIM Gateway >>>>>>>>>>>>>> To: Chamod Samarajeewa <cha...@wso2.com> >>>>>>>>>>>>>> Cc: Architecture Team <architecture-t...@wso2.com>, APIM >>>>>>>>>>>>>> Team <apim-gr...@wso2.com> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Chamod, this email should be sent to architecture@wso2.org. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> NuwanD. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa < >>>>>>>>>>>>>> cha...@wso2.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have included the information in the Github issue here as >>>>>>>>>>>>>>> well. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Requirements* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Provide authentication for APIM Gateway with basic >>>>>>>>>>>>>>> authentication which uses usernames and passwords. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Introduction* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Providing feature of enabling basic authentication security >>>>>>>>>>>>>>> schema to product APIM Gateway along with OAuth2 token-based >>>>>>>>>>>>>>> authentication. The user will be benefited with using only >>>>>>>>>>>>>>> OAuth2 token >>>>>>>>>>>>>>> based authentication alone, using basic authentication alone >>>>>>>>>>>>>>> and using both >>>>>>>>>>>>>>> schemas at the same time. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Approach* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [image: Basic Auth - APIM-GW-2.jpg] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> curl -k -X GET " >>>>>>>>>>>>>>> https://10.100.0.201:8243/pizzashack/1.0.0/menu"; -H "accept: >>>>>>>>>>>>>>> application/json" -H "Authorization: Basic $(echo -n >>>>>>>>>>>>>>> username:password | base64)" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The API Authentication Handler will forward the request to >>>>>>>>>>>>>>> Basic Auth Authenticator or OAuth Authenticator based on the >>>>>>>>>>>>>>> authorization >>>>>>>>>>>>>>> header of the request. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you. Regards. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa < >>>>>>>>>>>>>>> cha...@wso2.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm working on developing a new feature for APIM Gateway to >>>>>>>>>>>>>>>> provide Basic Authentication support. You can find the details >>>>>>>>>>>>>>>> in the >>>>>>>>>>>>>>>> following Github issue [1]. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I would really appreciate any feedback. Thank you. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>>>> Chamod. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [1] - https://github.com/wso2/carbon-apimgt/issues/5986 >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com >>>>>>>>>>>>>>>> <dimi...@wso2.com> >>>>>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>>>>>>>>>>> (m) +94 777 775 729 | (e) nuw...@wso2.com >>>>>>>>>>>>>> [image: Signature.jpg] >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> *Harsha Kumara* >>>>>>>>>>>>> >>>>>>>>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>>>>>>>> Mobile: +94775505618 >>>>>>>>>>>>> Email: hars...@wso2.coim >>>>>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>>>>> >>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Nadeesha Gamage >>>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>>> T : +94 77 394 5706 >>>>>>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Nadeesha Gamage >>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>> T : +94 77 394 5706 >>>>>>>>>>> B : https://nadeesha678.wordpress.com/ >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>>>>>> Architect | WSO2 Inc. >>>>>>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >>>>>>>>> [image: Signature.jpg] >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Harsha Kumara* >>>>>>>> >>>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>>> Mobile: +94775505618 >>>>>>>> Email: hars...@wso2.coim >>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Associate Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: hars...@wso2.coim >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Associate Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: hars...@wso2.coim >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >> [image: Signature.jpg] >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Thank you and Best Regards, > Chanaka Fernando > Associate Director/ Solutions Architect > m: +94 773337238 > twitter: @chanakaudaya > linkedIn: https://www.linkedin.com/in/chanaka-fernando-5b0a2019/ > https://wso2.com <https://wso2.com/signature> > > > > > > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Shazni Nazeer | Senior Lead Solutions Engineer | WSO2 Inc. (m) +94 777737331 | (e) sha...@wso2.com <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
