If it is needed to support subscriptions with third party KMs, do we have
possible approaches?
E.g. Maintain application id -> subscribed APIs mapping in APIM KM and let
APIM KMs to generate JWTs by fetching necessary information (scopes,
application data) from a third party KM.
On Sat, Jun 29, 2019 at 9:38 AM Harsha Kumara <hars...@wso2.com> wrote:
>
>
> On Sat, Jun 29, 2019 at 9:31 AM Rajith Roshan <raji...@wso2.com> wrote:
>
>>
>>
>> On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote:
>>
>>>
>>>
>>> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com>
>>> wrote:
>>>
>>>> I think we can make it optional.
>>>> If the particular app (token) doesn't have any subscriptions, the APIM
>>>> IDP will always send an empty subscribedAPIs array.
>>>> "subscribedAPIs": []
>>>>
>>>> That means there are no subscriptions for this app (token) hence we can
>>>> fail the validation.
>>>> If the subscribedAPIs element is not available at all, I think we can
>>>> safely assume that the JWT is from a different IDP. If it is trusted, we
>>>> can bypass subscription validation.
>>>>
>>> That's the approach which we already using in the MG as well.
>>>
>> The MGW approach is slightly different. MG validates subscription only if
>> the array at least contains one element. Sending an empty array will also
>> pass in the MGW . This is because when APIM key manager is used customers
>> might not want to enforce subscriptions.
>>
> I think only difference is allowing request to flow through when
> subscriptions list is empty. This should be done because of developer first
> approach. I think we can use same way as @Malintha Amarasinghe
> <malint...@wso2.com> mentioned.
>
>> In some cases, subscription validation can be performed in IDP side using
>>>> scopes itself. So I don't think bypassing the validation would be a big
>>>> issue.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Johann,
>>>>>>
>>>>>> How about supporting 3rd party Key Manager generated JWT access
>>>>>>> tokens? Will that work? 'jti' is an optional field as I remember. How
>>>>>>> would
>>>>>>> caching be impacted in that case?
>>>>>>>
>>>>>>
>>>>>> Good that you pointed out that. Then, we will have to use the whole
>>>>>> token as the key to the cache entry.
>>>>>>
>>>>> 3rd party KM doesn't know about the APIM subscription and I don't
>>>>> think it is possible to customize at the IDP side. Other claims can be
>>>>> included using customization or configuration.
>>>>>
>>>>>>
>>>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Chamod,
>>>>>>>
>>>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Harsha,
>>>>>>>>
>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>>> implement the revocation support as well as we already have the
>>>>>>>>> backend
>>>>>>>>> implementation?
>>>>>>>>
>>>>>>>>
>>>>>>>> Yes, we will.
>>>>>>>>
>>>>>>>
>>>>>>> I hope we are planning to follow the same real-time and persistent
>>>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a
>>>>>>> different plan?
>>>>>>>
>>>>>>>>
>>>>>>>> Best regards.
>>>>>>>>
>>>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>>> implement the revocation support as well as we already have the
>>>>>>>>> backend
>>>>>>>>> implementation?
>>>>>>>>>
>>>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <
>>>>>>>>> cha...@wso2.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi All,
>>>>>>>>>>
>>>>>>>>>> I'm currently working on developing a new feature to support JWT
>>>>>>>>>> authentication for API Gateway.
>>>>>>>>>> [image: JWT-Auth.jpg]
>>>>>>>>>>
>>>>>>>>>> *Approach*
>>>>>>>>>> The API Authentication Handler will forward the request to OAuth
>>>>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether
>>>>>>>>>> the token
>>>>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be
>>>>>>>>>> passed
>>>>>>>>>> to the JWT validator which will be used to verify the token
>>>>>>>>>> signature and
>>>>>>>>>> populate the Authentication Context information.
>>>>>>>>>>
>>>>>>>>>> A sample payload of JWT token which is used to populate the
>>>>>>>>>> Authentication Context.
>>>>>>>>>>
>>>>>>>>>> {
>>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway";,
>>>>>>>>>> "sub": "admin@carbon.super",
>>>>>>>>>> "application": {
>>>>>>>>>> "owner": "admin",
>>>>>>>>>> "tier": "Unlimited",
>>>>>>>>>> "name": "DefaultApplication",
>>>>>>>>>> "id": 1
>>>>>>>>>> },
>>>>>>>>>> "scope": "am_application_scope default",
>>>>>>>>>> "iss": "https://localhost:9443/oauth2/token";,
>>>>>>>>>> "keytype": "PRODUCTION",
>>>>>>>>>> "subscribedAPIs": [
>>>>>>>>>> {
>>>>>>>>>> "subscriberTenantDomain": "carbon.super",
>>>>>>>>>> "name": "PizzaShackAPI",
>>>>>>>>>> "context": "/pizzashack/1.0.0",
>>>>>>>>>> "publisher": "admin",
>>>>>>>>>> "version": "1.0.0",
>>>>>>>>>> "subscriptionTier": "Gold"
>>>>>>>>>> }
>>>>>>>>>> ],
>>>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
>>>>>>>>>> "exp": 1561701126,
>>>>>>>>>> "iat": 1561697526,
>>>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> We are hoping to use the same caches used for OAuth tokens to
>>>>>>>>>> store the JWT tokens as well. In that scenario, the payload will be
>>>>>>>>>> stored
>>>>>>>>>> as a JSONObject in the cache as the value and the key will be the
>>>>>>>>>> "jti"
>>>>>>>>>> value (Unique identifier of the token) of the token.
>>>>>>>>>>
>>>>>>>>>> The swagger stored in the gateway as a local entry will be used
>>>>>>>>>> to
>>>>>>>>>> - retrieve the missing information in the payload of JWT token
>>>>>>>>>> such as "API tier"
>>>>>>>>>> - retrieve scopes bound to the resource for scope validation
>>>>>>>>>>
>>>>>>>>>> The related Git issue can be found here [1]. I would really
>>>>>>>>>> appreciate any feedback. Thank you.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Chamod.
>>>>>>>>>>
>>>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> *Harsha Kumara*
>>>>>>>>>
>>>>>>>>> Technical Lead, WSO2 Inc.
>>>>>>>>> Mobile: +94775505618
>>>>>>>>> Email: hars...@wso2.coim
>>>>>>>>> Blog: harshcreationz.blogspot.com
>>>>>>>>>
>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>> GET INTEGRATION AGILE
>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thanks & Regards,
>>>>>>>
>>>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc
>>>>>>> Mobile : +94772338839 | fazl...@wso2.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>> GET INTEGRATION AGILE
>>>>>> Integration Agility for Digitally Driven Business
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc.
>>>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com
>>>>> GET INTEGRATION AGILE
>>>>> Integration Agility for Digitally Driven Business
>>>>>
>>>>
>>>>
>>>> --
>>>> Malintha Amarasinghe
>>>> *WSO2, Inc. - lean | enterprise | middleware*
>>>> http://wso2.com/
>>>>
>>>> Mobile : +94 712383306
>>>>
>>>
>>>
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>> (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com>
>>
>> <https://wso2.com/signature>
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
