[Architecture] Basic Authentication and Introspect endpoint support in WSO2 API Microgateway

[Hasunie Adikari]

Hi All,

I have been working on the basic authentication support in WSO2 API
microgateway. We already have the config based authentication support. A
user should be benefited the basic authentication against the user store
configured in a key manager. Hence, we planned to
engage LDAP/AD based on basic authentication. Actually, the microgateway
can implicitly get that comfort from the Ballerina. We just need to give
the LDAP configs in micro-gw.conf to make the connection to a particular
user store(LDAP/AD).

Furthermore, we should have a clear differentiation from the configs in
micro gw.conf for Config and LDAP basic authentication. Hence we planned to
separate the configs as shown below.

[basicAuthenticationConfig]
   userStoretype = "config"
   #userStoretype = "ldap"

Apart from that, there is a problem where someone uses an external identity
provider to authenticate the user except the APIM KM. Let's take an example
like customer knows only the wso2 API Microgateway and they have their own
identity provider. At that point, we should have a proper way to support
introspect endpoint in order to authenticate the request. It seems like we
will have the introspect endpoint support through the upcoming ballerina
1.0 release. We just need to initialize the inboundAuth2provider[1] as a
BearerAuthHandler. Please find a sample code snippet to elaborate the
initialization.

oauth2:IntrospectionServerConfig introspectionServerConfig = {
url: "https://localhost:20102/oauth2/token/introspect";,
    clientConfig: {
        auth: {
            authHandler: basicAuthHandler
        }
    }
};
oauth2:InboundOAuth2Provider oauth2Provider21 =
new(introspectionServerConfig);
http:BearerAuthHandler oauth2Handler21 = new(oauth2Provider21);

With the introspect endpoint support, new config entry should be introduced
in micro-gw.conf to differentiate the WSO2 KM and an external introspect
endpoint as shown below.
    [keyManager]
    type="wso2"
   #type="other"

[1]
https://github.com/ballerina-platform/ballerina-lang/blob/master/stdlib/oauth2/src/main/ballerina/src/oauth2/inbound_oauth2_provider.bal



Regards,
Hasunie




-- 
*Hasunie Adikari*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
blog http://hasuniea.blogspot.com | https://medium.com/@Hasunie/
Mobile:+94713095876

_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture