Hi all, I have several concerns regarding the current approach. I highly appreciate your suggestions. @Rajith Roshan <raji...@wso2.com> Please add if I have missed out anything.
1. How to differentiate the API Key and JWT token. API Key issued from the Microgateway has additional claim "apikey: true". This claim will be used to recognize if it is an API Key when an API Key is given as bearer authorization. However, an API Key and a JWT token released from API Manager cannot be differentiated in Microgateway. 2. Add an adequate level of security to API Key issued from Microgateway. We validate the user given in the subject claim of the API Key. The invocation request will be authorized if only the subjected user is configured in the gateway which received the API invocation request. 3. Add a list of APIs to the API Key to indicate which APIs can be accessed from the issued API Key. This is not addressed by the current implementation. Beforehand there is a couple of concerns we need to address for cases such as load-balanced micro gateways. 4. Issues on API Key with Load balancing. When a API Key is requested with basic auth, some gateway which can authorize the request would answer the call and issue an API Key. We do not control which gateway will answer this request. This is a blocker to achieve the 3rd option. Also, we do not control which gateway will handle the API invocation request. The gateway which answers the API invocation call can authorize the request only after validating the user with its own user configurations. Hence ideally, the user configurations should be identical in gateways. Kindly let me know your thoughts. Thank you. On Mon, Dec 9, 2019 at 5:06 PM Amali Matharaarachchi <ama...@wso2.com> wrote: > Hi, > If someone used this API Key in authorization bearer header, it will work > just like another JWT token. To avoid this, we need to differentiate API > Key and other JWTs. Even if we provide a separate header for the API Key, > the above issue will not be solved. > > On Mon, Dec 9, 2019 at 4:59 PM Fazlan Nazeem <fazl...@wso2.com> wrote: > >> Ok, this should be because we are using a different header than the >> authentication header for API Key in synapse gateway. I assume what we are >> trying here is to use both types of tokens in the authentication header? >> >> On Mon, Dec 9, 2019 at 4:41 PM Praminda Jayawardana <prami...@wso2.com> >> wrote: >> >>> It didn't look like synapse gateway did a differentiation between these >>> two cases. +Rajith Roshan <raji...@wso2.com> tested it. API Key didn't >>> work in Auth header simply because there was a missing attribute in the >>> JWT. It doesn't result in "Invalid JWT token" or similar error as expected. >>> >>> On Mon, Dec 9, 2019 at 4:34 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >>> >>>> We should be identifying both separately already in the synapse >>>> gateway. Have you checked how it has been done and stick to the same if >>>> possible for consistency? >>>> >>>> On Mon, Dec 9, 2019 at 3:56 PM Amali Matharaarachchi <ama...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> We need to differentiate the API Key from a normal JWT token. The API >>>>> Key is a simple JWT but when an API Key is provided we need to >>>>> authenticate >>>>> the user as well. >>>>> For this purpose, we added the additional claim "apiKey" to the >>>>> issuing JWT. If it is present in the token, it will be recognized as an >>>>> API Key. >>>>> I highly appreciate if you have any suggestions regarding this. >>>>> >>>>> Thanks. >>>>> >>>>> On Fri, Dec 6, 2019 at 3:54 PM Amali Matharaarachchi <ama...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Harsha, >>>>>> >>>>>> Will the token endpoint is default one and provide an option to point >>>>>>> to the key manager in a standard deployment? >>>>>> >>>>>> >>>>>> Configurations similar to the following are added to micro-gw.conf >>>>>> file to enable the self JWT issuer and to provide related configurations >>>>>> [1]. >>>>>> >>>>>> [jwtTokenConfig]issuer="https://localhost:9443/oauth2/token"audience="http://org.wso2.apimgt/gateway"certificateAlias="wso2apim"validateSubscription=false >>>>>> [jwtTokenConfig.jwtIssuer]enabled=falsevalidityPeriod=600keyStoreAlias="ballerina" >>>>>> >>>>>> >>>>>> >>>>>>> What's the endpoint that we going to provide and how the request >>>>>>> would look like to get a key? >>>>>> >>>>>> >>>>>> The token endpoint would issue the self JWT token when JWT issuer is >>>>>> enabled in the config [2]. >>>>>> >>>>>> curl -X get "https://localhost:9096/token"; -H "Authorization:Basic >>>>>> Z2VuZXJhbFVzZXIxOnBhc3N3b3Jk" -k >>>>>> >>>>>> [1] >>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-561996404 >>>>>> [2] >>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-562422055 >>>>>> >>>>>> On Fri, Dec 6, 2019 at 3:03 PM Amali Matharaarachchi <ama...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> There is a Slack Discussion[1] in #microgateway channel as well. >>>>>>> >>>>>>> [1] https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900 >>>>>>> <https://www.google.com/url?q=https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900&sa=D&source=hangouts&ust=1575710969667000&usg=AFQjCNGG0eIVN13izofrh7vcvPxPyP-NYA> >>>>>>> >>>>>>> On Fri, Dec 6, 2019 at 2:48 PM Harsha Kumara <hars...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Please discuss this in public groups. >>>>>>>> >>>>>>>> What's the endpoint that we going to provide and how the request >>>>>>>> would look like to get a key? >>>>>>>> >>>>>>>> Will the token endpoint is default one and provide an option to >>>>>>>> point to the key manager in a standard deployment? >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Dec 6, 2019 at 2:31 PM Amali Matharaarachchi < >>>>>>>> ama...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> We are planning to add a feature for issuing simple JWTs which are >>>>>>>>> to be used in Microgateway. Please refer GitHub issue [1] for more >>>>>>>>> information. >>>>>>>>> >>>>>>>>> This feature addresses the user story "As a developer, I would >>>>>>>>> like to invoke my micro gateway API easily without configuring a key >>>>>>>>> manager". A self-contained JWT token should be issued as the API key >>>>>>>>> by the >>>>>>>>> Microgateway server without communicating with an external Key >>>>>>>>> Manager. This API key would later use to authenticate the user when >>>>>>>>> invoking an API. >>>>>>>>> >>>>>>>>> A token endpoint secured with basic authentication would be >>>>>>>>> provided to issue the API Key. When invoked with this API Key, API >>>>>>>>> key's >>>>>>>>> sub claim could be used to authenticate the user and validate that >>>>>>>>> the user >>>>>>>>> has the privilege. >>>>>>>>> >>>>>>>>> JWT token format would be similar to: >>>>>>>>> header >>>>>>>>> { >>>>>>>>> "alg": "RS256", >>>>>>>>> "typ": "jwt", >>>>>>>>> "kid": "ballerina" >>>>>>>>> } >>>>>>>>> payload >>>>>>>>> { >>>>>>>>> "sub": "generalUser1", >>>>>>>>> "iss": "https://localhost:9443/oauth2/token";, >>>>>>>>> "exp": 1575620540, >>>>>>>>> "iat": 1575619940, >>>>>>>>> "jti": "bb38e533-e127-4991-95a2-7a383e634eba", >>>>>>>>> "aud": "http://org.wso2.apimgt/gateway";, >>>>>>>>> "apiKey": true >>>>>>>>> } >>>>>>>>> >>>>>>>>> We highly appreciate your suggestions. Thank you. >>>>>>>>> >>>>>>>>> [1] https://github.com/wso2/product-microgateway/issues/897 >>>>>>>>> -- >>>>>>>>> *Amali Lakshika* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>>>> 1861* >>>>>>>>> >>>>>>>>> *skype: amali.94d* >>>>>>>>> >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Harsha Kumara* >>>>>>>> >>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>> Mobile: +94775505618 >>>>>>>> Email: hars...@wso2.coim >>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Amali Lakshika* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>> 1861* >>>>>>> >>>>>>> *skype: amali.94d* >>>>>>> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Amali Lakshika* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>> 1861* >>>>>> >>>>>> *skype: amali.94d* >>>>>> >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Amali Lakshika* >>>>> >>>>> >>>>> >>>>> >>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>> 1861* >>>>> >>>>> *skype: amali.94d* >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>> Mobile : +94772338839 | fazl...@wso2.com >>>> >>>> >>>> >>> >>> -- >>> >>> *Praminda Jayawardana* | Associate Technical Lead | WSO2 Inc. >>> (m) +94 (0) 716 590918 | (e) prami...@wso2.com >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Thanks & Regards, >> >> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >> Mobile : +94772338839 | fazl...@wso2.com >> >> >> > > -- > *Amali Lakshika* > > > > > *Software EngineerWSO2 Inc.: https://wso2.com > <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* > > *skype: amali.94d* > > <http://wso2.com/signature> > > -- *Amali Lakshika* *Software EngineerWSO2 Inc.: https://wso2.com <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* *skype: amali.94d* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
