+ I hope we only fetch tokens which aren't expired but revoked. On Fri, Oct 4, 2019 at 12:41 PM Harsha Kumara <[email protected]> wrote:
> Will revoke endpoint called with same token trigger a revocation event? > This is because sometimes JMS subscription can be dropped. In case when > it's back we can try revoke with same token so it will reach the gateway. > During implementation we can test this behavior. > > > > > On Fri, Oct 4, 2019 at 11:58 AM Bhathiya Jayasekara <[email protected]> > wrote: > >> Looks* good. >> >> On Fri, Oct 4, 2019 at 11:25 AM Fazlan Nazeem <[email protected]> wrote: >> >>> Hi all, >>> >>> We are working on supporting JWT revocation for synapse gateway. Please >>> note that the default token format for 3.0 synapse gateway is JWT. >>> >>> Please find the discussed design for this feature. >>> >>> [image: JWT.jpg] >>> >>> In summary, we will be storing the revoked token signatures against the >>> expiry timestamp(timestamp is needed for cleanup) in AM_DB and these >>> entries will be fetched to the gateway during the startup via a web app >>> deployed in KM. This is similar to how we fetch key templates and blocking >>> conditions during the startup via the throttle web app. >>> >>> When a token is being revoked after startup, an event will be put into a >>> JMS topic or multiple JMS topics depending on how the gateways are >>> subscribed to the topic(via JMS event publishers). When the JMS listener >>> fetches this event, it will clear the gateway cache entry related to the >>> token and also populate the in-memory revoke map. >>> >>> When a request is received to the gateway, it will be first validated >>> against the cache and only if it is not in the cache the signature will be >>> validated against the revoke map. We have decided not to validate against >>> the invalid cache for this flow because the revoke map will anyway have all >>> the invalid entries whereas the invalid cache will not always have all the >>> entries. >>> >>> Both the database table and revoke map has the expiry timestamp stored >>> in them to facilitate the cleanup process of expired revoked tokens. We are >>> planning to clean both the database table and the revoke map via a timer >>> task with a suitable interval to ensure they will not be growing >>> continuously. >>> >>> Please let me know your suggestions. >>> -- >>> Thanks & Regards, >>> >>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>> Mobile : +94772338839 | [email protected] >>> >>> >>> >> >> -- >> *Bhathiya Jayasekara* | Technical Lead | WSO2 Inc. >> (m) +94 71 547 8185 | (e) bhathiya-@t-wso2-d0t-com >> >> >> > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
