[Architecture] JWT Authentication for API Gateway

Thu, 27 Jun 2019 22:07:47 -0700 

Hi All,

I'm currently working on developing a new feature to support JWT
authentication for API Gateway.
[image: JWT-Auth.jpg]

*Approach*
The API Authentication Handler will forward the request to OAuth
Authenticator. Then the OAuth Authenticator will identify whether the token
is of type OAuth or JWT. If a JWT token is found the request will be passed
to the JWT validator which will be used to verify the token signature and
populate the Authentication Context information.

A sample payload of JWT token which is used to populate the Authentication
Context.

{
  "aud": "http://org.wso2.apimgt/gateway";,
  "sub": "[email protected]",
  "application": {
    "owner": "admin",
    "tier": "Unlimited",
    "name": "DefaultApplication",
    "id": 1
  },
  "scope": "am_application_scope default",
  "iss": "https://localhost:9443/oauth2/token";,
  "keytype": "PRODUCTION",
  "subscribedAPIs": [
    {
      "subscriberTenantDomain": "carbon.super",
      "name": "PizzaShackAPI",
      "context": "/pizzashack/1.0.0",
      "publisher": "admin",
      "version": "1.0.0",
      "subscriptionTier": "Gold"
    }
  ],
  "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
  "exp": 1561701126,
  "iat": 1561697526,
  "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
}

We are hoping to use the same caches used for OAuth tokens to store the JWT
tokens as well. In that scenario, the payload will be stored as a
JSONObject in the cache as the value and the key will be the "jti" value
(Unique identifier of the token) of the token.

The swagger stored in the gateway as a local entry will be used to
 - retrieve the missing information in the payload of JWT token such as
"API tier"
 - retrieve scopes bound to the resource for scope validation

The related Git issue can be found here [1]. I would really appreciate any
feedback. Thank you.

Best regards,
Chamod.

[1] - https://github.com/wso2/product-apim/issues/5115

-- 
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [email protected] <[email protected]>
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to