On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <[email protected]> wrote:
> Hi Johann, > > How about supporting 3rd party Key Manager generated JWT access tokens? >> Will that work? 'jti' is an optional field as I remember. How would caching >> be impacted in that case? >> > > Good that you pointed out that. Then, we will have to use the whole token > as the key to the cache entry. > 3rd party KM doesn't know about the APIM subscription and I don't think it is possible to customize at the IDP side. Other claims can be included using customization or configuration. > > On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <[email protected]> wrote: > >> Hi Chamod, >> >> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <[email protected]> >> wrote: >> >>> Hi Harsha, >>> >>> @Chamod Samarajeewa <[email protected]> Are we also going to implement >>>> the revocation support as well as we already have the backend >>>> implementation? >>> >>> >>> Yes, we will. >>> >> >> I hope we are planning to follow the same real-time and persistent >> approach(with etc) similar to the mcirogateway for this. Or is there a >> different plan? >> >>> >>> Best regards. >>> >>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <[email protected]> wrote: >>> >>>> @Chamod Samarajeewa <[email protected]> Are we also going to implement >>>> the revocation support as well as we already have the backend >>>> implementation? >>>> >>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I'm currently working on developing a new feature to support JWT >>>>> authentication for API Gateway. >>>>> [image: JWT-Auth.jpg] >>>>> >>>>> *Approach* >>>>> The API Authentication Handler will forward the request to OAuth >>>>> Authenticator. Then the OAuth Authenticator will identify whether the >>>>> token >>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>> passed >>>>> to the JWT validator which will be used to verify the token signature and >>>>> populate the Authentication Context information. >>>>> >>>>> A sample payload of JWT token which is used to populate the >>>>> Authentication Context. >>>>> >>>>> { >>>>> "aud": "http://org.wso2.apimgt/gateway";, >>>>> "sub": "[email protected]", >>>>> "application": { >>>>> "owner": "admin", >>>>> "tier": "Unlimited", >>>>> "name": "DefaultApplication", >>>>> "id": 1 >>>>> }, >>>>> "scope": "am_application_scope default", >>>>> "iss": "https://localhost:9443/oauth2/token";, >>>>> "keytype": "PRODUCTION", >>>>> "subscribedAPIs": [ >>>>> { >>>>> "subscriberTenantDomain": "carbon.super", >>>>> "name": "PizzaShackAPI", >>>>> "context": "/pizzashack/1.0.0", >>>>> "publisher": "admin", >>>>> "version": "1.0.0", >>>>> "subscriptionTier": "Gold" >>>>> } >>>>> ], >>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>> "exp": 1561701126, >>>>> "iat": 1561697526, >>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>> } >>>>> >>>>> We are hoping to use the same caches used for OAuth tokens to store >>>>> the JWT tokens as well. In that scenario, the payload will be stored as a >>>>> JSONObject in the cache as the value and the key will be the "jti" value >>>>> (Unique identifier of the token) of the token. >>>>> >>>>> The swagger stored in the gateway as a local entry will be used to >>>>> - retrieve the missing information in the payload of JWT token such >>>>> as "API tier" >>>>> - retrieve scopes bound to the resource for scope validation >>>>> >>>>> The related Git issue can be found here [1]. I would really appreciate >>>>> any feedback. Thank you. >>>>> >>>>> Best regards, >>>>> Chamod. >>>>> >>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>> >>>>> -- >>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> >>>> *Harsha Kumara* >>>> >>>> Technical Lead, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Email: [email protected] >>>> Blog: harshcreationz.blogspot.com >>>> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: [email protected] <[email protected]> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Thanks & Regards, >> >> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >> Mobile : +94772338839 | [email protected] >> >> >> > > -- > Chamod Samarajeewa | Software Engineer | WSO2 Inc. > (m) +94710397382 | Email: [email protected] <[email protected]> > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. (m) +94711822074 | (w) +94112145345 | Email: [email protected] GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
