Hi Nuwan, So I think then there are few things now.
1. First the docs need to be clear on what is done @ IS - your context is far more clearer than what the docs actually explain. 2. Also related to #1 above, the actual config needs some renaming I guess, it doesn't fall into place. 3. What if the KM is third party? Don't we have any JWT concept at all? If we say no, we'd be loosing a massive portion of interoperability. And, if so, there needs to be a config @ GW as well that says enable JWT request and there needs to be an extension point for which we can generate a JWT @ the GW level if the KM was 3rd party. So, I think the story has a few gaps as it stands now. WDYT? Thanks, Senaka. On Mon, Aug 3, 2015 at 1:49 PM, Nuwan Dias <[email protected]> wrote: > Hi Senaka, > > Its not just about enabling/disabling JWT. We also have options of caching > the JWT, specifying custom claims to be included in the JWT, extending the > JWT generator implementation to include custom attributes, etc. All these > are provided through the configuration on the KM since its the KM who > actually would have access to user claims, application data, etc. The > Gateway just passes whatever information generated by the KM as the JWT to > the back-end. > > Thanks, > NuwanD. > > > > On Mon, Aug 3, 2015 at 6:02 PM, Senaka Fernando <[email protected]> wrote: > >> Hi John, >> >> I think the IS sends back the JWT, but when you use IS as the key >> manager, shouldn't it be the API-M that requests for the JWT from IS? And, >> regardless of that the setting should be done at the API-M GW IMO, because >> that's what creates the JWT and passes on to the ESB for instance. I think >> it has to happen that way, especially with external KMs used and all. >> Therefore, I think this setting should be done on the API-M GW-side (if I >> understood correctly). >> >> AM team, what's your thoughts on this? >> >> Thanks, >> Senaka. >> >> On Mon, Aug 3, 2015 at 11:47 AM, John Hawkins <[email protected]> wrote: >> >>> Hi Folks, >>> >>> I've just been following these instructions [1] to get the API-M talking >>> to the Identity server. I am confused as to why I have set JWT on in the >>> Identity servers api-manager.xml [2] and not just in the API-M? Isn't it >>> the API-M sending JWT out rather than the IS ? Can someone explain to me >>> what's going on under-the-hood please? >>> >>> >>> [1] >>> https://docs.wso2.com/display/CLUSTER420/Configuring+the+Pre-Packaged+Identity+Server+5.0.0+with+API+Manager+1.9.0 >>> >>> [2] Bullet 7: JWT configuration must be done in the >>> <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. >>> >>> >>> many thanks, >>> John. >>> >>> >>> >>> John Hawkins >>> Director: Solutions Architecture >>> >>> >> >> >> -- >> >> >> *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* >> Solutions Architect; WSO2 Inc.; http://wso2.com >> >> >> >> *Member; Apache Software Foundation; http://apache.org >> <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 >> 408 754 7388 <%2B1%20408%20754%207388>; ext: 51736*; >> >> >> *M: +44 782 741 1966 <%2B44%20782%20741%201966>Linked-In: >> http://linkedin.com/in/senakafernando >> <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware >> > > > > -- > Nuwan Dias > > Technical Lead - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > -- *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* Solutions Architect; WSO2 Inc.; http://wso2.com *Member; Apache Software Foundation; http://apache.org <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 408 754 7388; ext: 51736*; *M: +44 782 741 1966Linked-In: http://linkedin.com/in/senakafernando <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
