Hi Nuwan, Can the same API gateway handle both self-contained and opaque tokens?
How does the API consumption work? Does the application need to invoke both the KM and gateway endpoints to refresh/revoke and invoke the APIs? Thank you. On Wed, Aug 21, 2019 at 1:21 PM Asela Pathberiya <as...@wso2.com> wrote: > > > On Tue, Aug 20, 2019 at 2:37 PM Nuwan Dias <nuw...@wso2.com> wrote: > >> Hi, >> >> With the introduction of the Microgateway self-contained access tokens >> were supported in the API Manager since version 2.5. Self-contained access >> tokens however were only supported in the Microgateway so far. The regular >> gateway was unable to process and validate a self-contained access token. >> With API Manager 3.0 we are bringing this support to the regular gateway as >> well. With this we hope to make self-contained tokens the default token >> type of applications. Opaque tokens will still be supported as before. >> There are several benefits of using self-contained access tokens. These are, >> >> 1) The gateway no longer connects to the Key Manager when processing API >> requests. This makes the deployment simpler and reduces configuration >> points a bit. >> 2) We no longer have to scale the Key Manager when we need the Gateway to >> be scaled. This bring a significant reduction to the cost of using the >> product in larger deployments. >> 3) The gateway becomes regionally resilient. A token issued from one >> region can be validated by a gateway in another region even if the data is >> not synced. >> 4) Back-end JWTs will be included in as part of the access token itself >> (self-contained). This eliminates the need of creating back-end JWTs while >> the API request is being processed. Which in turn makes APIs calls much >> faster. >> >> One pending items that's left to handle is the revocation of >> self-contained access tokens. Since the gateway does not connect to the Key >> Manager for validating self-contained tokens, the gateway will not know >> when a particular token has been revoked. Using shorter expiry times for >> access token addresses this solution to a certain extent. We hope to >> implement the same solution we implemented for the Microgateway to address >> this. The Key Manager will be notifying the gateway cluster through a >> broker when a token has been revoked. And the gateway will no longer be >> treating the particular token as valid upon receiving the notification. >> >> Appreciate your thoughts and suggestions on this. >> > > So we are making it as default to increase the usage of it ? > > Is this would be same for developer token in store (application tokens)? > What are the default user details which are adding to self-contains access > token ? > > Thanks, > Asela. > > >> >> Thanks, >> NuwanD. >> -- >> *Nuwan Dias* | Director | WSO2 Inc. >> (m) +94 777 775 729 | (e) nuw...@wso2.com >> [image: Signature.jpg] >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Thanks & Regards, > Asela > > Mobile : +94 777 625 933 > > http://soasecurity.org/ > http://xacmlinfo.org/ > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Manjula Rathnayaka* | Senior Technical Lead | WSO2 Inc. (m) +94 77 743 1987 | (w) +94 11 214 5345 | (e) manju...@wso2.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture