Hi Chamod, How about supporting 3rd party Key Manager generated JWT access tokens? Will that work? 'jti' is an optional field as I remember. How would caching be impacted in that case?
On Fri, Jun 28, 2019 at 10:47 AM Harsha Kumara <[email protected]> wrote: > > > On Fri, Jun 28, 2019 at 10:43 AM Harsha Kumara <[email protected]> wrote: > >> @Chamod Samarajeewa <[email protected]> Are we also going to implement the >> revocation support as well as we already have the backend implementation? >> >> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <[email protected]> >> wrote: >> >>> Hi All, >>> >>> I'm currently working on developing a new feature to support JWT >>> authentication for API Gateway. >>> [image: JWT-Auth.jpg] >>> >>> *Approach* >>> The API Authentication Handler will forward the request to OAuth >>> Authenticator. Then the OAuth Authenticator will identify whether the token >>> is of type OAuth or JWT. If a JWT token is found the request will be passed >>> to the JWT validator which will be used to verify the token signature and >>> populate the Authentication Context information. >>> >>> A sample payload of JWT token which is used to populate the >>> Authentication Context. >>> >>> { >>> "aud": "http://org.wso2.apimgt/gateway";, >>> "sub": "[email protected]", >>> "application": { >>> "owner": "admin", >>> "tier": "Unlimited", >>> "name": "DefaultApplication", >>> "id": 1 >>> }, >>> "scope": "am_application_scope default", >>> "iss": "https://localhost:9443/oauth2/token";, >>> "keytype": "PRODUCTION", >>> "subscribedAPIs": [ >>> { >>> "subscriberTenantDomain": "carbon.super", >>> "name": "PizzaShackAPI", >>> "context": "/pizzashack/1.0.0", >>> "publisher": "admin", >>> "version": "1.0.0", >>> "subscriptionTier": "Gold" >>> } >>> ], >>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>> "exp": 1561701126, >>> "iat": 1561697526, >>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>> } >>> >>> We are hoping to use the same caches used for OAuth tokens to store the >>> JWT tokens as well. In that scenario, the payload will be stored as a >>> JSONObject in the cache as the value and the key will be the "jti" value >>> (Unique identifier of the token) of the token. >>> >> Do you mean you are going to cache only the JWT payload section in the Gateway? And is this used for token validation or something else? If it's used for token validation, how would that stop anyone from fabricating and sending a JWT token with exact same 'jti' and payload? Regards, Johann. >>> The swagger stored in the gateway as a local entry will be used to >>> - retrieve the missing information in the payload of JWT token such as >>> "API tier" >>> - retrieve scopes bound to the resource for scope validation >>> >>> The related Git issue can be found here [1]. I would really appreciate >>> any feedback. Thank you. >>> >>> Best regards, >>> Chamod. >>> >>> [1] - https://github.com/wso2/product-apim/issues/5115 >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: [email protected] <[email protected]> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
