> > API Key will come in apiKey header or query parameters. Hence I don't see > a problem of differentiating them.
If someone tries to use the API Key as a bearer token, we need to identify this as a misusage. On Fri, Dec 13, 2019 at 10:13 PM Harsha Kumara <hars...@wso2.com> wrote: > > > On Fri, Dec 13, 2019 at 11:34 AM Amali Matharaarachchi <ama...@wso2.com> > wrote: > >> Hi all, >> >> I have several concerns regarding the current approach. I highly >> appreciate your suggestions. @Rajith Roshan <raji...@wso2.com> Please >> add if I have missed out anything. >> >> 1. How to differentiate the API Key and JWT token. >> API Key issued from the Microgateway has additional claim "apikey: true". >> This claim will be used to recognize if it is an API Key when an API Key is >> given as bearer authorization. >> However, an API Key and a JWT token released from API Manager cannot be >> differentiated in Microgateway. >> > API Key will come in apiKey header or query parameters. Hence I don't see > a problem of differentiating them. > >> >> 2. Add an adequate level of security to API Key issued from Microgateway. >> We validate the user given in the subject claim of the API Key. The >> invocation request will be authorized if only the subjected user is >> configured in the gateway which received the API invocation request. >> > Since configuring users isn't scalable solution, did we look for any > alternatives? > >> >> 3. Add a list of APIs to the API Key to indicate which APIs can be >> accessed from the issued API Key. >> This is not addressed by the current implementation. Beforehand there is >> a couple of concerns we need to address for cases such as load-balanced >> micro gateways. >> >> 4. Issues on API Key with Load balancing. >> When a API Key is requested with basic auth, some gateway which can >> authorize the request would answer the call and issue an API Key. We do not >> control which gateway will answer this request. This is a blocker to >> achieve the 3rd option. >> Also, we do not control which gateway will handle the API invocation >> request. The gateway which answers the API invocation call can authorize >> the request only after validating the user with its own user >> configurations. Hence ideally, the user configurations should be identical >> in gateways. >> >> Kindly let me know your thoughts. Thank you. >> >> On Mon, Dec 9, 2019 at 5:06 PM Amali Matharaarachchi <ama...@wso2.com> >> wrote: >> >>> Hi, >>> If someone used this API Key in authorization bearer header, it will >>> work just like another JWT token. To avoid this, we need to differentiate >>> API Key and other JWTs. Even if we provide a separate header for the API >>> Key, the above issue will not be solved. >>> >>> On Mon, Dec 9, 2019 at 4:59 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >>> >>>> Ok, this should be because we are using a different header than the >>>> authentication header for API Key in synapse gateway. I assume what we are >>>> trying here is to use both types of tokens in the authentication header? >>>> >>>> On Mon, Dec 9, 2019 at 4:41 PM Praminda Jayawardana <prami...@wso2.com> >>>> wrote: >>>> >>>>> It didn't look like synapse gateway did a differentiation between >>>>> these two cases. +Rajith Roshan <raji...@wso2.com> tested it. API >>>>> Key didn't work in Auth header simply because there was a missing >>>>> attribute >>>>> in the JWT. It doesn't result in "Invalid JWT token" or similar error as >>>>> expected. >>>>> >>>>> On Mon, Dec 9, 2019 at 4:34 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >>>>> >>>>>> We should be identifying both separately already in the synapse >>>>>> gateway. Have you checked how it has been done and stick to the same if >>>>>> possible for consistency? >>>>>> >>>>>> On Mon, Dec 9, 2019 at 3:56 PM Amali Matharaarachchi <ama...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> We need to differentiate the API Key from a normal JWT token. The >>>>>>> API Key is a simple JWT but when an API Key is provided we need to >>>>>>> authenticate the user as well. >>>>>>> For this purpose, we added the additional claim "apiKey" to the >>>>>>> issuing JWT. If it is present in the token, it will be recognized as an >>>>>>> API Key. >>>>>>> I highly appreciate if you have any suggestions regarding this. >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> On Fri, Dec 6, 2019 at 3:54 PM Amali Matharaarachchi < >>>>>>> ama...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi Harsha, >>>>>>>> >>>>>>>> Will the token endpoint is default one and provide an option to >>>>>>>>> point to the key manager in a standard deployment? >>>>>>>> >>>>>>>> >>>>>>>> Configurations similar to the following are added to micro-gw.conf >>>>>>>> file to enable the self JWT issuer and to provide related >>>>>>>> configurations >>>>>>>> [1]. >>>>>>>> >>>>>>>> [jwtTokenConfig]issuer="https://localhost:9443/oauth2/token"audience="http://org.wso2.apimgt/gateway"certificateAlias="wso2apim"validateSubscription=false >>>>>>>> [jwtTokenConfig.jwtIssuer]enabled=falsevalidityPeriod=600keyStoreAlias="ballerina" >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> What's the endpoint that we going to provide and how the request >>>>>>>>> would look like to get a key? >>>>>>>> >>>>>>>> >>>>>>>> The token endpoint would issue the self JWT token when JWT issuer >>>>>>>> is enabled in the config [2]. >>>>>>>> >>>>>>>> curl -X get "https://localhost:9096/token" -H "Authorization:Basic >>>>>>>> Z2VuZXJhbFVzZXIxOnBhc3N3b3Jk" -k >>>>>>>> >>>>>>>> [1] >>>>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-561996404 >>>>>>>> [2] >>>>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-562422055 >>>>>>>> >>>>>>>> On Fri, Dec 6, 2019 at 3:03 PM Amali Matharaarachchi < >>>>>>>> ama...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> There is a Slack Discussion[1] in #microgateway channel as well. >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900 >>>>>>>>> <https://www.google.com/url?q=https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900&sa=D&source=hangouts&ust=1575710969667000&usg=AFQjCNGG0eIVN13izofrh7vcvPxPyP-NYA> >>>>>>>>> >>>>>>>>> On Fri, Dec 6, 2019 at 2:48 PM Harsha Kumara <hars...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Please discuss this in public groups. >>>>>>>>>> >>>>>>>>>> What's the endpoint that we going to provide and how the request >>>>>>>>>> would look like to get a key? >>>>>>>>>> >>>>>>>>>> Will the token endpoint is default one and provide an option to >>>>>>>>>> point to the key manager in a standard deployment? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Dec 6, 2019 at 2:31 PM Amali Matharaarachchi < >>>>>>>>>> ama...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> We are planning to add a feature for issuing simple JWTs which >>>>>>>>>>> are to be used in Microgateway. Please refer GitHub issue [1] for >>>>>>>>>>> more >>>>>>>>>>> information. >>>>>>>>>>> >>>>>>>>>>> This feature addresses the user story "As a developer, I would >>>>>>>>>>> like to invoke my micro gateway API easily without configuring a key >>>>>>>>>>> manager". A self-contained JWT token should be issued as the API >>>>>>>>>>> key by the >>>>>>>>>>> Microgateway server without communicating with an external Key >>>>>>>>>>> Manager. This API key would later use to authenticate the user when >>>>>>>>>>> invoking an API. >>>>>>>>>>> >>>>>>>>>>> A token endpoint secured with basic authentication would be >>>>>>>>>>> provided to issue the API Key. When invoked with this API Key, API >>>>>>>>>>> key's >>>>>>>>>>> sub claim could be used to authenticate the user and validate that >>>>>>>>>>> the user >>>>>>>>>>> has the privilege. >>>>>>>>>>> >>>>>>>>>>> JWT token format would be similar to: >>>>>>>>>>> header >>>>>>>>>>> { >>>>>>>>>>> "alg": "RS256", >>>>>>>>>>> "typ": "jwt", >>>>>>>>>>> "kid": "ballerina" >>>>>>>>>>> } >>>>>>>>>>> payload >>>>>>>>>>> { >>>>>>>>>>> "sub": "generalUser1", >>>>>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>>>>> "exp": 1575620540, >>>>>>>>>>> "iat": 1575619940, >>>>>>>>>>> "jti": "bb38e533-e127-4991-95a2-7a383e634eba", >>>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>>>>> "apiKey": true >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> We highly appreciate your suggestions. Thank you. >>>>>>>>>>> >>>>>>>>>>> [1] https://github.com/wso2/product-microgateway/issues/897 >>>>>>>>>>> -- >>>>>>>>>>> *Amali Lakshika* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 >>>>>>>>>>> 932 1861* >>>>>>>>>>> >>>>>>>>>>> *skype: amali.94d* >>>>>>>>>>> >>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Harsha Kumara* >>>>>>>>>> >>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>> Mobile: +94775505618 >>>>>>>>>> Email: hars...@wso2.coim >>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Amali Lakshika* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>>>> 1861* >>>>>>>>> >>>>>>>>> *skype: amali.94d* >>>>>>>>> >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Amali Lakshika* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>>> 1861* >>>>>>>> >>>>>>>> *skype: amali.94d* >>>>>>>> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Amali Lakshika* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>> 1861* >>>>>>> >>>>>>> *skype: amali.94d* >>>>>>> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> >>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>>>> Mobile : +94772338839 | fazl...@wso2.com >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> >>>>> *Praminda Jayawardana* | Associate Technical Lead | WSO2 Inc. >>>>> (m) +94 (0) 716 590918 | (e) prami...@wso2.com >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>> Mobile : +94772338839 | fazl...@wso2.com >>>> >>>> >>>> >>> >>> -- >>> *Amali Lakshika* >>> >>> >>> >>> >>> *Software EngineerWSO2 Inc.: https://wso2.com >>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* >>> >>> *skype: amali.94d* >>> >>> <http://wso2.com/signature> >>> >>> >> >> >> -- >> *Amali Lakshika* >> >> >> >> >> *Software EngineerWSO2 Inc.: https://wso2.com >> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* >> >> *skype: amali.94d* >> >> <http://wso2.com/signature> >> >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: hars...@wso2.coim > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Amali Lakshika* *Software EngineerWSO2 Inc.: https://wso2.com <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* *skype: amali.94d* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture