AFAIU the JWT will contain the APIs for which the particular Key is valid and the TTL of the API Key. And we of course verify the signature of the JWT as well.
When using an opaque key the gateway will have to communicate with the Key Manager or API Store to validate the API Key. We're trying to eliminate the gateway's dependencies during the runtime so that we can scale the gateway more easily and have regional resiliency for the gateways as well. On Fri, Jul 26, 2019 at 2:16 PM Bhathiya Jayasekara <[email protected]> wrote: > Hi Dumindu, > > What's the reason for using a JWT instead of an opaque key? What are the > information we include in the JWT? > > Thanks, > Bhathiya > > On Fri, Jul 26, 2019 at 1:44 PM Chathura Ekanayake <[email protected]> > wrote: > >> Hi Dumindu, >> >> Could you briefly mention the steps for publishing, subscribing to and >> invoking APIs with API Keys. >> >> According to the given description it looks like a similar approach to >> using client credentials grant (with JWT). Or is it that we can associate a >> key with an API at the publishing time. >> >> If it is the latter case, I guess we cannot do user or application based >> throttling or analytics with this approach. >> >> Regards, >> Chathura >> >> On Fri, Jul 26, 2019 at 12:46 PM Dumindu Kanchana <[email protected]> >> wrote: >> >>> API key is the simplest form of app-based security that we will be able >>> to configure for an API. >>> >>> Securing the API's with this method was already implemented in few >>> API-Manager solutions and currently I'm working on to introduce this for >>> the APIM 3.0.0. >>> >>> An API key is a string value passed by a client app to the APIM gateway. >>> The key uniquely identifies the client app. A client app simply presents an >>> API key with its request, then APIM gateway checks to see that the API key >>> is in an approved state for the API being requested and allow/deny based on >>> the validation. >>> >>> We are going to use a JWT to represent the APIKey which will be >>> generated from the APIM-Store. This self-contained API Key will be >>> validated from the gateway before allowing a resource to be consumed. >>> >>> In order to use this feature, we need to, >>> >>> 1. APIKey security enabled for the API. >>> 2. An application created in the store to generate a API key >>> >>> As the initial steps, I'm working on to develop the Store/Publisher Rest >>> API's and the backend implementation. We are also going to support API Key >>> revocation for this feature. >>> >>> [1] Mail - "API key support" >>> [2] Invitation: Discussion on integrating API-Key feature for AM-3.0.0 @ >>> Wed Jul 10, 2019 >>> >>> Thanks, >>> -- >>> *Dumindu Kanchna* >>> Software Engineer | WSO2 >>> >>> Email : [email protected] >>> Mobile : +94766958493 >>> Web : https://wso2.com >>> >>> <http://wso2.com/signature> >>> >> > > -- > *Bhathiya Jayasekara* | Technical Lead | WSO2 Inc. > (m) +94 71 547 8185 | (e) bhathiya-@t-wso2-d0t-com > > > -- *Nuwan Dias* | Director | WSO2 Inc. (m) +94 777 775 729 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
