On Wed, Jul 19, 2017 at 1:52 AM, Vazquez-Hidalgo, Javier < [email protected]> wrote:
> Hi Harsha, > > > > Thanks for quick response and yes, I would like to generate JWT token > only if some header is present. > > > > Let me give you more context on what I’m trying to accomplish: > > > > Setup: > > > > 1) APIM 2.1 + Identity Server 5.3 acting as the Key Manager. > > 2) OpenID Connect is used for authentication. > > 3) User roles and permissions are retrieved from an internal > service, not from Identity Server. So, when a token (scope=openid) is > requested the id_token is generated with our internal roles and permissions > + other attributes. > > > > The problem: > > > > 1) Some of the services behind the Gateway have protected endpoints > by our internal roles or permissions, so we send the signed id_token as a > http header and the service validates the token, builds a profile from the > token and authorizes the user. > > 2) Another use case is when we want to hit the endpoint from APIM > Store (Swagger UI). The swager definition has the id_token http header > mandatory but I would like to make it optional and have the APIM generate > the id_token only if the header is not present (my initial question). > > > > > > What are your thoughts on this, can we approach this problem in a better > way? > In the current model, JWT token generation is happen at KM node. And there is no way that we can control it. So you will need to write a custom sequence to handle this case. In the custom sequence you can simply check id_token header is present in the request and if it's present drop the JWT header through custom sequence. If the id_token isn't present, you can let request to flow in default path. [1] https://docs.wso2.com/display/AM200/Adding+Mediation+Extensions > > > Thanks, > > Javier > > > > *From:* Harsha Kumara [mailto:[email protected]] > *Sent:* Tuesday, July 18, 2017 7:20 PM > *To:* Vazquez-Hidalgo, Javier > *Cc:* [email protected] > *Subject:* Re: [Dev] JWT Token Generation > > > > Hey Javier, > > > > Do you want to generate JWT token only if some header present in the > request? For the current implementation, we can't control it as it will > generate in the KM. But you can manipulate headers in gateway so you can > decide which token you should send to the backend either APIM generated on > or newly created JWT token. > > > > > > Thanks, > > Harsha > > > > 2017-07-19 0:41 GMT+02:00 Vazquez-Hidalgo, Javier <Javier.Vazquez-Hidalgo@ > tdsecurities.com>: > > Hello, > > > > What is the best approach to have APIM generate a JWT Token only if a > header is passed to the request? > > > > Thanks, > > Javier > > > > If you wish to unsubscribe from receiving commercial electronic messages > from TD Bank Group, please click here <http://www.td.com/tdoptout> or go > to the following web address: www.td.com/tdoptout > Si vous souhaitez vous désabonner des messages électroniques de nature > commerciale envoyés par Groupe Banque TD veuillez cliquer ici > <http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab > > > NOTICE: Confidential message which may be privileged. Unauthorized > use/disclosure prohibited. If received in error, please go to > www.td.com/legal for instructions. > AVIS : Message confidentiel dont le contenu peut être privilégié. > Utilisation/divulgation interdites sans permission. Si reçu par erreur, > prière d'aller au www.td.com/francais/avis_juridique pour des > instructions. > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > -- > > Harsha Kumara > > Software Engineer, WSO2 Inc. > > Mobile: +94775505618 <+94%2077%20550%205618> > > Blog:harshcreationz.blogspot.com > -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
