Can we expect APIM 3.0.0 milestone to be released with the token revocation feature? That's where some key business end-users relying on business functions when and if they decided to migrate.
I know you have mentioned that Opaque tokens will still be supported as before, but I felt the user story through self-signed not yet 100% we can't find sustainable option so, IMHO ideally, 3.0.0 with the primary feature as Opaque but self-signed availability with optional WDYT? and once we finalize fully feature compatible self-signed token, we will switch to the default mode when that ready. On Sun, Aug 25, 2019 at 5:00 PM Ishara Cooray <[email protected]> wrote: > Hi, > > 4) Back-end JWTs will be included in as part of the access token itself > (self-contained). This eliminates the need of creating back-end JWTs while > the API request is being processed. Which in turn makes APIs calls much > faster. > > Only concern, this might lead the header to become very large. > In that case we will have to increase the header size. > Alternatively, HPACK[1] in http/2 (Header Compression for HTTP2) might be > useful. > > > [1] https://httpwg.org/specs/rfc7541.html > > Thanks & Regards, > Ishara Cooray > Associate Technical Lead > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > > On Thu, Aug 22, 2019 at 11:04 AM Nuwan Dias <[email protected]> wrote: > >> >> >> On Wed, 21 Aug 2019 at 10:57 pm, Manjula Rathnayake <[email protected]> >> wrote: >> >>> Hi Nuwan, >>> >>> Can the same API gateway handle both self-contained and opaque tokens? >>> >> >> Yes it can. The gateway needs to be connected to the key manager if it is >> expected to validate opaque tokens. >> >>> >>> How does the API consumption work? Does the application need to invoke >>> both the KM and gateway endpoints to refresh/revoke and invoke the APIs? >>> >> >> If the gateway is connected to the key manager the app can use the /token >> and /revoke endpoints on the gateway itself. Otherwise the key manager >> needs to be expose them some other way for apps to use. >> >>> >>> Thank you. >>> >>> On Wed, Aug 21, 2019 at 1:21 PM Asela Pathberiya <[email protected]> wrote: >>> >>>> >>>> >>>> On Tue, Aug 20, 2019 at 2:37 PM Nuwan Dias <[email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> With the introduction of the Microgateway self-contained access tokens >>>>> were supported in the API Manager since version 2.5. Self-contained access >>>>> tokens however were only supported in the Microgateway so far. The regular >>>>> gateway was unable to process and validate a self-contained access token. >>>>> With API Manager 3.0 we are bringing this support to the regular gateway >>>>> as >>>>> well. With this we hope to make self-contained tokens the default token >>>>> type of applications. Opaque tokens will still be supported as before. >>>>> There are several benefits of using self-contained access tokens. These >>>>> are, >>>>> >>>>> 1) The gateway no longer connects to the Key Manager when processing >>>>> API requests. This makes the deployment simpler and reduces configuration >>>>> points a bit. >>>>> 2) We no longer have to scale the Key Manager when we need the Gateway >>>>> to be scaled. This bring a significant reduction to the cost of using the >>>>> product in larger deployments. >>>>> 3) The gateway becomes regionally resilient. A token issued from one >>>>> region can be validated by a gateway in another region even if the data is >>>>> not synced. >>>>> 4) Back-end JWTs will be included in as part of the access token >>>>> itself (self-contained). This eliminates the need of creating back-end >>>>> JWTs >>>>> while the API request is being processed. Which in turn makes APIs calls >>>>> much faster. >>>>> >>>>> One pending items that's left to handle is the revocation of >>>>> self-contained access tokens. Since the gateway does not connect to the >>>>> Key >>>>> Manager for validating self-contained tokens, the gateway will not know >>>>> when a particular token has been revoked. Using shorter expiry times for >>>>> access token addresses this solution to a certain extent. We hope to >>>>> implement the same solution we implemented for the Microgateway to address >>>>> this. The Key Manager will be notifying the gateway cluster through a >>>>> broker when a token has been revoked. And the gateway will no longer be >>>>> treating the particular token as valid upon receiving the notification. >>>>> >>>>> Appreciate your thoughts and suggestions on this. >>>>> >>>> >>>> So we are making it as default to increase the usage of it ? >>>> >>>> Is this would be same for developer token in store (application >>>> tokens)? >>>> What are the default user details which are adding to self-contains >>>> access token ? >>>> >>>> Thanks, >>>> Asela. >>>> >>>> >>>>> >>>>> Thanks, >>>>> NuwanD. >>>>> -- >>>>> *Nuwan Dias* | Director | WSO2 Inc. >>>>> (m) +94 777 775 729 | (e) [email protected] >>>>> [image: Signature.jpg] >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> Mobile : +94 777 625 933 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> *Manjula Rathnayaka* | Senior Technical Lead | WSO2 Inc. >>> (m) +94 77 743 1987 | (w) +94 11 214 5345 | (e) [email protected] >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> -- >> *Nuwan Dias* | Director | WSO2 Inc. >> (m) +94 777 775 729 | (e) [email protected] >> [image: Signature.jpg] >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Dushan Abeyruwan Director - Support WSO2 Certified Solution Engineer Technical Support,Mountain View, USA PMC Member Apache Synpase WSO2 Inc. http://wso2.com/ Blog:*http://www.dushantech.com/ <http://www.dushantech.com/>* LinkedIn:*https://www.linkedin.com/in/dushanabeyruwan <https://www.linkedin.com/in/dushanabeyruwan>* Mobile:(001)408-987-1348
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
