On Sat, Jun 29, 2019 at 9:31 AM Rajith Roshan <raji...@wso2.com> wrote:
>
>
> On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote:
>
>>
>>
>> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com>
>> wrote:
>>
>>> I think we can make it optional.
>>> If the particular app (token) doesn't have any subscriptions, the APIM
>>> IDP will always send an empty subscribedAPIs array.
>>> "subscribedAPIs": []
>>>
>>> That means there are no subscriptions for this app (token) hence we can
>>> fail the validation.
>>> If the subscribedAPIs element is not available at all, I think we can
>>> safely assume that the JWT is from a different IDP. If it is trusted, we
>>> can bypass subscription validation.
>>>
>> That's the approach which we already using in the MG as well.
>>
> The MGW approach is slightly different. MG validates subscription only if
> the array at least contains one element. Sending an empty array will also
> pass in the MGW . This is because when APIM key manager is used customers
> might not want to enforce subscriptions.
>
I think only difference is allowing request to flow through when
subscriptions list is empty. This should be done because of developer first
approach. I think we can use same way as @Malintha Amarasinghe
<malint...@wso2.com> mentioned.
> In some cases, subscription validation can be performed in IDP side using
>>> scopes itself. So I don't think bypassing the validation would be a big
>>> issue.
>>>
>>> Thanks!
>>>
>>>
>>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Johann,
>>>>>
>>>>> How about supporting 3rd party Key Manager generated JWT access
>>>>>> tokens? Will that work? 'jti' is an optional field as I remember. How
>>>>>> would
>>>>>> caching be impacted in that case?
>>>>>>
>>>>>
>>>>> Good that you pointed out that. Then, we will have to use the whole
>>>>> token as the key to the cache entry.
>>>>>
>>>> 3rd party KM doesn't know about the APIM subscription and I don't think
>>>> it is possible to customize at the IDP side. Other claims can be included
>>>> using customization or configuration.
>>>>
>>>>>
>>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Chamod,
>>>>>>
>>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Harsha,
>>>>>>>
>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>> implement the revocation support as well as we already have the backend
>>>>>>>> implementation?
>>>>>>>
>>>>>>>
>>>>>>> Yes, we will.
>>>>>>>
>>>>>>
>>>>>> I hope we are planning to follow the same real-time and persistent
>>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a
>>>>>> different plan?
>>>>>>
>>>>>>>
>>>>>>> Best regards.
>>>>>>>
>>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>> implement the revocation support as well as we already have the backend
>>>>>>>> implementation?
>>>>>>>>
>>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <
>>>>>>>> cha...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I'm currently working on developing a new feature to support JWT
>>>>>>>>> authentication for API Gateway.
>>>>>>>>> [image: JWT-Auth.jpg]
>>>>>>>>>
>>>>>>>>> *Approach*
>>>>>>>>> The API Authentication Handler will forward the request to OAuth
>>>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the
>>>>>>>>> token
>>>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be
>>>>>>>>> passed
>>>>>>>>> to the JWT validator which will be used to verify the token signature
>>>>>>>>> and
>>>>>>>>> populate the Authentication Context information.
>>>>>>>>>
>>>>>>>>> A sample payload of JWT token which is used to populate the
>>>>>>>>> Authentication Context.
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway";,
>>>>>>>>> "sub": "admin@carbon.super",
>>>>>>>>> "application": {
>>>>>>>>> "owner": "admin",
>>>>>>>>> "tier": "Unlimited",
>>>>>>>>> "name": "DefaultApplication",
>>>>>>>>> "id": 1
>>>>>>>>> },
>>>>>>>>> "scope": "am_application_scope default",
>>>>>>>>> "iss": "https://localhost:9443/oauth2/token";,
>>>>>>>>> "keytype": "PRODUCTION",
>>>>>>>>> "subscribedAPIs": [
>>>>>>>>> {
>>>>>>>>> "subscriberTenantDomain": "carbon.super",
>>>>>>>>> "name": "PizzaShackAPI",
>>>>>>>>> "context": "/pizzashack/1.0.0",
>>>>>>>>> "publisher": "admin",
>>>>>>>>> "version": "1.0.0",
>>>>>>>>> "subscriptionTier": "Gold"
>>>>>>>>> }
>>>>>>>>> ],
>>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
>>>>>>>>> "exp": 1561701126,
>>>>>>>>> "iat": 1561697526,
>>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> We are hoping to use the same caches used for OAuth tokens to
>>>>>>>>> store the JWT tokens as well. In that scenario, the payload will be
>>>>>>>>> stored
>>>>>>>>> as a JSONObject in the cache as the value and the key will be the
>>>>>>>>> "jti"
>>>>>>>>> value (Unique identifier of the token) of the token.
>>>>>>>>>
>>>>>>>>> The swagger stored in the gateway as a local entry will be used to
>>>>>>>>> - retrieve the missing information in the payload of JWT token
>>>>>>>>> such as "API tier"
>>>>>>>>> - retrieve scopes bound to the resource for scope validation
>>>>>>>>>
>>>>>>>>> The related Git issue can be found here [1]. I would really
>>>>>>>>> appreciate any feedback. Thank you.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Chamod.
>>>>>>>>>
>>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> *Harsha Kumara*
>>>>>>>>
>>>>>>>> Technical Lead, WSO2 Inc.
>>>>>>>> Mobile: +94775505618
>>>>>>>> Email: hars...@wso2.coim
>>>>>>>> Blog: harshcreationz.blogspot.com
>>>>>>>>
>>>>>>>> GET INTEGRATION AGILE
>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>> GET INTEGRATION AGILE
>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks & Regards,
>>>>>>
>>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc
>>>>>> Mobile : +94772338839 | fazl...@wso2.com
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>> GET INTEGRATION AGILE
>>>>> Integration Agility for Digitally Driven Business
>>>>>
>>>>
>>>>
>>>> --
>>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc.
>>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com
>>>> GET INTEGRATION AGILE
>>>> Integration Agility for Digitally Driven Business
>>>>
>>>
>>>
>>> --
>>> Malintha Amarasinghe
>>> *WSO2, Inc. - lean | enterprise | middleware*
>>> http://wso2.com/
>>>
>>> Mobile : +94 712383306
>>>
>>
>>
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
> (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com>
>
> <https://wso2.com/signature>
>
--
*Harsha Kumara*
Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: hars...@wso2.coim
Blog: harshcreationz.blogspot.com
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
