On Mon, Jul 29, 2019 at 10:39 AM Ishara Cooray <[email protected]> wrote:
> Hi, > > Since, API key only identifies the application, end users will not be > validated in this case. > So if the token is stolen, apis can be consumed. > In Google cloud what they recommend is to restrict their use to an > environment such as an IP address range, or an Android or iOS app. > > AFAIU from the above description, signed jwt is used to address this. > > if we represent a JWT as the api key, what is the difference between JWT > (self-contained token) and API key auth types? > An API key is sent in a different header. Clients will use the Bearer header to send OAuth2.0 tokens and a different type of header for API keys. > > > Thanks & Regards, > Ishara Cooray > Associate Technical Lead > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > > On Sat, Jul 27, 2019 at 4:28 AM Nuwan Dias <[email protected]> wrote: > >> AFAIU the JWT will contain the APIs for which the particular Key is valid >> and the TTL of the API Key. And we of course verify the signature of the >> JWT as well. >> >> When using an opaque key the gateway will have to communicate with the >> Key Manager or API Store to validate the API Key. We're trying to eliminate >> the gateway's dependencies during the runtime so that we can scale the >> gateway more easily and have regional resiliency for the gateways as well. >> >> On Fri, Jul 26, 2019 at 2:16 PM Bhathiya Jayasekara <[email protected]> >> wrote: >> >>> Hi Dumindu, >>> >>> What's the reason for using a JWT instead of an opaque key? What are the >>> information we include in the JWT? >>> >>> Thanks, >>> Bhathiya >>> >>> On Fri, Jul 26, 2019 at 1:44 PM Chathura Ekanayake <[email protected]> >>> wrote: >>> >>>> Hi Dumindu, >>>> >>>> Could you briefly mention the steps for publishing, subscribing to and >>>> invoking APIs with API Keys. >>>> >>>> According to the given description it looks like a similar approach to >>>> using client credentials grant (with JWT). Or is it that we can associate a >>>> key with an API at the publishing time. >>>> >>>> If it is the latter case, I guess we cannot do user or application >>>> based throttling or analytics with this approach. >>>> >>>> Regards, >>>> Chathura >>>> >>>> On Fri, Jul 26, 2019 at 12:46 PM Dumindu Kanchana <[email protected]> >>>> wrote: >>>> >>>>> API key is the simplest form of app-based security that we will be >>>>> able to configure for an API. >>>>> >>>>> Securing the API's with this method was already implemented in few >>>>> API-Manager solutions and currently I'm working on to introduce this for >>>>> the APIM 3.0.0. >>>>> >>>>> An API key is a string value passed by a client app to the APIM >>>>> gateway. The key uniquely identifies the client app. A client app simply >>>>> presents an API key with its request, then APIM gateway checks to see that >>>>> the API key is in an approved state for the API being requested and >>>>> allow/deny based on the validation. >>>>> >>>>> We are going to use a JWT to represent the APIKey which will be >>>>> generated from the APIM-Store. This self-contained API Key will be >>>>> validated from the gateway before allowing a resource to be consumed. >>>>> >>>>> In order to use this feature, we need to, >>>>> >>>>> 1. APIKey security enabled for the API. >>>>> 2. An application created in the store to generate a API key >>>>> >>>>> As the initial steps, I'm working on to develop the Store/Publisher >>>>> Rest API's and the backend implementation. We are also going to support >>>>> API >>>>> Key revocation for this feature. >>>>> >>>>> [1] Mail - "API key support" >>>>> [2] Invitation: Discussion on integrating API-Key feature for >>>>> AM-3.0.0 @ Wed Jul 10, 2019 >>>>> >>>>> Thanks, >>>>> -- >>>>> *Dumindu Kanchna* >>>>> Software Engineer | WSO2 >>>>> >>>>> Email : [email protected] >>>>> Mobile : +94766958493 >>>>> Web : https://wso2.com >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>> >>> >>> -- >>> *Bhathiya Jayasekara* | Technical Lead | WSO2 Inc. >>> (m) +94 71 547 8185 | (e) bhathiya-@t-wso2-d0t-com >>> >>> >>> >> >> -- >> *Nuwan Dias* | Director | WSO2 Inc. >> (m) +94 777 775 729 | (e) [email protected] >> [image: Signature.jpg] >> > -- *Nuwan Dias* | Director | WSO2 Inc. (m) +94 777 775 729 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
