On Mon, Aug 3, 2015 at 6:28 PM, Senaka Fernando <[email protected]> wrote:
> Hi Nuwan, > > So I think then there are few things now. > > 1. First the docs need to be clear on what is done @ IS - your context > is far more clearer than what the docs actually explain. > 2. Also related to #1 above, the actual config needs some renaming I > guess, it doesn't fall into place. > 3. What if the KM is third party? Don't we have any JWT concept at > all? If we say no, we'd be loosing a massive portion of interoperability. > And, if so, there needs to be a config @ GW as well that says enable JWT > request and there needs to be an extension point for which we can generate > a JWT @ the GW level if the KM was 3rd party. > > Even if we use a third party KM the API Manager also plays a role in key validation. The actual OAuth2 token is validated by the third party KM. API Manager still validates the subscription, validates the token against the auth-type of the Resource and generates the JWT. The part that plays this role could either reside on the Gateway instance or as a separate API Manager instance as well. > So, I think the story has a few gaps as it stands now. WDYT? > Thanks, > Senaka. > > On Mon, Aug 3, 2015 at 1:49 PM, Nuwan Dias <[email protected]> wrote: > >> Hi Senaka, >> >> Its not just about enabling/disabling JWT. We also have options of >> caching the JWT, specifying custom claims to be included in the JWT, >> extending the JWT generator implementation to include custom attributes, >> etc. All these are provided through the configuration on the KM since its >> the KM who actually would have access to user claims, application data, >> etc. The Gateway just passes whatever information generated by the KM as >> the JWT to the back-end. >> >> Thanks, >> NuwanD. >> >> >> >> On Mon, Aug 3, 2015 at 6:02 PM, Senaka Fernando <[email protected]> wrote: >> >>> Hi John, >>> >>> I think the IS sends back the JWT, but when you use IS as the key >>> manager, shouldn't it be the API-M that requests for the JWT from IS? And, >>> regardless of that the setting should be done at the API-M GW IMO, because >>> that's what creates the JWT and passes on to the ESB for instance. I think >>> it has to happen that way, especially with external KMs used and all. >>> Therefore, I think this setting should be done on the API-M GW-side (if I >>> understood correctly). >>> >>> AM team, what's your thoughts on this? >>> >>> Thanks, >>> Senaka. >>> >>> On Mon, Aug 3, 2015 at 11:47 AM, John Hawkins <[email protected]> wrote: >>> >>>> Hi Folks, >>>> >>>> I've just been following these instructions [1] to get the API-M >>>> talking to the Identity server. I am confused as to why I have set JWT on >>>> in the Identity servers api-manager.xml [2] and not just in the API-M? >>>> Isn't it the API-M sending JWT out rather than the IS ? Can someone explain >>>> to me what's going on under-the-hood please? >>>> >>>> >>>> [1] >>>> https://docs.wso2.com/display/CLUSTER420/Configuring+the+Pre-Packaged+Identity+Server+5.0.0+with+API+Manager+1.9.0 >>>> >>>> [2] Bullet 7: JWT configuration must be done in the >>>> <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. >>>> >>>> >>>> many thanks, >>>> John. >>>> >>>> >>>> >>>> John Hawkins >>>> Director: Solutions Architecture >>>> >>>> >>> >>> >>> -- >>> >>> >>> *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* >>> Solutions Architect; WSO2 Inc.; http://wso2.com >>> >>> >>> >>> *Member; Apache Software Foundation; http://apache.org >>> <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 >>> 408 754 7388 <%2B1%20408%20754%207388>; ext: 51736*; >>> >>> >>> *M: +44 782 741 1966 <%2B44%20782%20741%201966>Linked-In: >>> http://linkedin.com/in/senakafernando >>> <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Nuwan Dias >> >> Technical Lead - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 >> > > > > -- > > > *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* > Solutions Architect; WSO2 Inc.; http://wso2.com > > > > *Member; Apache Software Foundation; http://apache.org > <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 > 408 754 7388 <%2B1%20408%20754%207388>; ext: 51736*; > > > *M: +44 782 741 1966 <%2B44%20782%20741%201966>Linked-In: > http://linkedin.com/in/senakafernando > <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
