Hi Sharma, You could now get the latest API Manager (v3.0.0) from here[1] which has this feature. [1] https://wso2.com/api-management/
Regards, Chamila. On Mon, Sep 23, 2019 at 2:28 PM Ashish Sharma <[email protected]> wrote: > Hi Nuwan > > Could you please advise when is the first release (PROD ready) of the API > Manager with support for JWTs foreseen? > > Met vriendelijke groeten, > > Ashish Sharma > > > ------------------------------ > *From:* Architecture <[email protected]> on behalf of Nuwan > Dias <[email protected]> > *Sent:* Tuesday, August 20, 2019 10:52 AM > *To:* architecture <[email protected]> > *Subject:* [Architecture] Making self-contained access tokens the default > in APIM 3.0 > > Hi, > > With the introduction of the Microgateway self-contained access tokens > were supported in the API Manager since version 2.5. Self-contained access > tokens however were only supported in the Microgateway so far. The regular > gateway was unable to process and validate a self-contained access token. > With API Manager 3.0 we are bringing this support to the regular gateway as > well. With this we hope to make self-contained tokens the default token > type of applications. Opaque tokens will still be supported as before. > There are several benefits of using self-contained access tokens. These are, > > 1) The gateway no longer connects to the Key Manager when processing API > requests. This makes the deployment simpler and reduces configuration > points a bit. > 2) We no longer have to scale the Key Manager when we need the Gateway to > be scaled. This bring a significant reduction to the cost of using the > product in larger deployments. > 3) The gateway becomes regionally resilient. A token issued from one > region can be validated by a gateway in another region even if the data is > not synced. > 4) Back-end JWTs will be included in as part of the access token itself > (self-contained). This eliminates the need of creating back-end JWTs while > the API request is being processed. Which in turn makes APIs calls much > faster. > > One pending items that's left to handle is the revocation of > self-contained access tokens. Since the gateway does not connect to the Key > Manager for validating self-contained tokens, the gateway will not know > when a particular token has been revoked. Using shorter expiry times for > access token addresses this solution to a certain extent. We hope to > implement the same solution we implemented for the Microgateway to address > this. The Key Manager will be notifying the gateway cluster through a > broker when a token has been revoked. And the gateway will no longer be > treating the particular token as valid upon receiving the notification. > > Appreciate your thoughts and suggestions on this. > > Thanks, > NuwanD. > -- > *Nuwan Dias* | Director | WSO2 Inc. > (m) +94 777 775 729 | (e) [email protected] > [image: Signature.jpg] > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Regards, Chamila Adhikarinayake Associate Technical Lead WSO2, Inc. Mobile - +94712346437 Email - [email protected] Blog - http://helpfromadhi.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
