On Sat, Jun 29, 2019 at 9:31 AM Rajith Roshan <raji...@wso2.com> wrote:
> > > On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote: > >> >> >> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com> >> wrote: >> >>> I think we can make it optional. >>> If the particular app (token) doesn't have any subscriptions, the APIM >>> IDP will always send an empty subscribedAPIs array. >>> "subscribedAPIs": [] >>> >>> That means there are no subscriptions for this app (token) hence we can >>> fail the validation. >>> If the subscribedAPIs element is not available at all, I think we can >>> safely assume that the JWT is from a different IDP. If it is trusted, we >>> can bypass subscription validation. >>> >> That's the approach which we already using in the MG as well. >> > The MGW approach is slightly different. MG validates subscription only if > the array at least contains one element. Sending an empty array will also > pass in the MGW . This is because when APIM key manager is used customers > might not want to enforce subscriptions. > I think only difference is allowing request to flow through when subscriptions list is empty. This should be done because of developer first approach. I think we can use same way as @Malintha Amarasinghe <malint...@wso2.com> mentioned. > In some cases, subscription validation can be performed in IDP side using >>> scopes itself. So I don't think bypassing the validation would be a big >>> issue. >>> >>> Thanks! >>> >>> >>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Johann, >>>>> >>>>> How about supporting 3rd party Key Manager generated JWT access >>>>>> tokens? Will that work? 'jti' is an optional field as I remember. How >>>>>> would >>>>>> caching be impacted in that case? >>>>>> >>>>> >>>>> Good that you pointed out that. Then, we will have to use the whole >>>>> token as the key to the cache entry. >>>>> >>>> 3rd party KM doesn't know about the APIM subscription and I don't think >>>> it is possible to customize at the IDP side. Other claims can be included >>>> using customization or configuration. >>>> >>>>> >>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Chamod, >>>>>> >>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Harsha, >>>>>>> >>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to >>>>>>>> implement the revocation support as well as we already have the backend >>>>>>>> implementation? >>>>>>> >>>>>>> >>>>>>> Yes, we will. >>>>>>> >>>>>> >>>>>> I hope we are planning to follow the same real-time and persistent >>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a >>>>>> different plan? >>>>>> >>>>>>> >>>>>>> Best regards. >>>>>>> >>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to >>>>>>>> implement the revocation support as well as we already have the backend >>>>>>>> implementation? >>>>>>>> >>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa < >>>>>>>> cha...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I'm currently working on developing a new feature to support JWT >>>>>>>>> authentication for API Gateway. >>>>>>>>> [image: JWT-Auth.jpg] >>>>>>>>> >>>>>>>>> *Approach* >>>>>>>>> The API Authentication Handler will forward the request to OAuth >>>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the >>>>>>>>> token >>>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>>>>>> passed >>>>>>>>> to the JWT validator which will be used to verify the token signature >>>>>>>>> and >>>>>>>>> populate the Authentication Context information. >>>>>>>>> >>>>>>>>> A sample payload of JWT token which is used to populate the >>>>>>>>> Authentication Context. >>>>>>>>> >>>>>>>>> { >>>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>>> "sub": "admin@carbon.super", >>>>>>>>> "application": { >>>>>>>>> "owner": "admin", >>>>>>>>> "tier": "Unlimited", >>>>>>>>> "name": "DefaultApplication", >>>>>>>>> "id": 1 >>>>>>>>> }, >>>>>>>>> "scope": "am_application_scope default", >>>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>>> "keytype": "PRODUCTION", >>>>>>>>> "subscribedAPIs": [ >>>>>>>>> { >>>>>>>>> "subscriberTenantDomain": "carbon.super", >>>>>>>>> "name": "PizzaShackAPI", >>>>>>>>> "context": "/pizzashack/1.0.0", >>>>>>>>> "publisher": "admin", >>>>>>>>> "version": "1.0.0", >>>>>>>>> "subscriptionTier": "Gold" >>>>>>>>> } >>>>>>>>> ], >>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>>>>>> "exp": 1561701126, >>>>>>>>> "iat": 1561697526, >>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>>>>>> } >>>>>>>>> >>>>>>>>> We are hoping to use the same caches used for OAuth tokens to >>>>>>>>> store the JWT tokens as well. In that scenario, the payload will be >>>>>>>>> stored >>>>>>>>> as a JSONObject in the cache as the value and the key will be the >>>>>>>>> "jti" >>>>>>>>> value (Unique identifier of the token) of the token. >>>>>>>>> >>>>>>>>> The swagger stored in the gateway as a local entry will be used to >>>>>>>>> - retrieve the missing information in the payload of JWT token >>>>>>>>> such as "API tier" >>>>>>>>> - retrieve scopes bound to the resource for scope validation >>>>>>>>> >>>>>>>>> The related Git issue can be found here [1]. I would really >>>>>>>>> appreciate any feedback. Thank you. >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> Chamod. >>>>>>>>> >>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Harsha Kumara* >>>>>>>> >>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>> Mobile: +94775505618 >>>>>>>> Email: hars...@wso2.coim >>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> >>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>>>> Mobile : +94772338839 | fazl...@wso2.com >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. >>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Malintha Amarasinghe >>> *WSO2, Inc. - lean | enterprise | middleware* >>> http://wso2.com/ >>> >>> Mobile : +94 712383306 >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: hars...@wso2.coim >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. > (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com> > > <https://wso2.com/signature> > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: hars...@wso2.coim Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture