On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <[email protected]> wrote:
> I think we can make it optional. > If the particular app (token) doesn't have any subscriptions, the APIM IDP > will always send an empty subscribedAPIs array. > "subscribedAPIs": [] > > That means there are no subscriptions for this app (token) hence we can > fail the validation. > If the subscribedAPIs element is not available at all, I think we can > safely assume that the JWT is from a different IDP. If it is trusted, we > can bypass subscription validation. > That's the approach which we already using in the MG as well. > In some cases, subscription validation can be performed in IDP side using > scopes itself. So I don't think bypassing the validation would be a big > issue. > > Thanks! > > > On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <[email protected]> > wrote: > >> >> >> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <[email protected]> >> wrote: >> >>> Hi Johann, >>> >>> How about supporting 3rd party Key Manager generated JWT access tokens? >>>> Will that work? 'jti' is an optional field as I remember. How would caching >>>> be impacted in that case? >>>> >>> >>> Good that you pointed out that. Then, we will have to use the whole >>> token as the key to the cache entry. >>> >> 3rd party KM doesn't know about the APIM subscription and I don't think >> it is possible to customize at the IDP side. Other claims can be included >> using customization or configuration. >> >>> >>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <[email protected]> wrote: >>> >>>> Hi Chamod, >>>> >>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <[email protected]> >>>> wrote: >>>> >>>>> Hi Harsha, >>>>> >>>>> @Chamod Samarajeewa <[email protected]> Are we also going to implement >>>>>> the revocation support as well as we already have the backend >>>>>> implementation? >>>>> >>>>> >>>>> Yes, we will. >>>>> >>>> >>>> I hope we are planning to follow the same real-time and persistent >>>> approach(with etc) similar to the mcirogateway for this. Or is there a >>>> different plan? >>>> >>>>> >>>>> Best regards. >>>>> >>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <[email protected]> >>>>> wrote: >>>>> >>>>>> @Chamod Samarajeewa <[email protected]> Are we also going to implement >>>>>> the revocation support as well as we already have the backend >>>>>> implementation? >>>>>> >>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I'm currently working on developing a new feature to support JWT >>>>>>> authentication for API Gateway. >>>>>>> [image: JWT-Auth.jpg] >>>>>>> >>>>>>> *Approach* >>>>>>> The API Authentication Handler will forward the request to OAuth >>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the >>>>>>> token >>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>>>> passed >>>>>>> to the JWT validator which will be used to verify the token signature >>>>>>> and >>>>>>> populate the Authentication Context information. >>>>>>> >>>>>>> A sample payload of JWT token which is used to populate the >>>>>>> Authentication Context. >>>>>>> >>>>>>> { >>>>>>> "aud": "http://org.wso2.apimgt/gateway";, >>>>>>> "sub": "[email protected]", >>>>>>> "application": { >>>>>>> "owner": "admin", >>>>>>> "tier": "Unlimited", >>>>>>> "name": "DefaultApplication", >>>>>>> "id": 1 >>>>>>> }, >>>>>>> "scope": "am_application_scope default", >>>>>>> "iss": "https://localhost:9443/oauth2/token";, >>>>>>> "keytype": "PRODUCTION", >>>>>>> "subscribedAPIs": [ >>>>>>> { >>>>>>> "subscriberTenantDomain": "carbon.super", >>>>>>> "name": "PizzaShackAPI", >>>>>>> "context": "/pizzashack/1.0.0", >>>>>>> "publisher": "admin", >>>>>>> "version": "1.0.0", >>>>>>> "subscriptionTier": "Gold" >>>>>>> } >>>>>>> ], >>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>>>> "exp": 1561701126, >>>>>>> "iat": 1561697526, >>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>>>> } >>>>>>> >>>>>>> We are hoping to use the same caches used for OAuth tokens to store >>>>>>> the JWT tokens as well. In that scenario, the payload will be stored as >>>>>>> a >>>>>>> JSONObject in the cache as the value and the key will be the "jti" value >>>>>>> (Unique identifier of the token) of the token. >>>>>>> >>>>>>> The swagger stored in the gateway as a local entry will be used to >>>>>>> - retrieve the missing information in the payload of JWT token such >>>>>>> as "API tier" >>>>>>> - retrieve scopes bound to the resource for scope validation >>>>>>> >>>>>>> The related Git issue can be found here [1]. I would really >>>>>>> appreciate any feedback. Thank you. >>>>>>> >>>>>>> Best regards, >>>>>>> Chamod. >>>>>>> >>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>>>> >>>>>>> -- >>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Harsha Kumara* >>>>>> >>>>>> Technical Lead, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Email: [email protected] >>>>>> Blog: harshcreationz.blogspot.com >>>>>> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>> (m) +94710397382 | Email: [email protected] <[email protected]> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>> Mobile : +94772338839 | [email protected] >>>> >>>> >>>> >>> >>> -- >>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>> (m) +94710397382 | Email: [email protected] <[email protected]> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. >> (m) +94711822074 | (w) +94112145345 | Email: [email protected] >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
