Hi Dinusha,
No we do not have to add it manually. "CustomOAuth2Header" configuration is
added to the "tenant-conf.json" that is shipped with the product. Therefore
once a tenant is created, this config will be automatically added to the
registry of the specific tenant. If a tenant wants to change the header,
then that tenant can change it in the respective tenant configuration and
save it to the registry.
Thanks,
Viduranga.
On Mon, Nov 27, 2017 at 12:08 PM, Dinusha Dissanayake <dinus...@wso2.com>
wrote:
> Hi Viduranga,
>
> Just to make it clarify, do we have to enter CustomOAuth2Header field
> manually after creating a tenant or will it be automatically added when we
> create a tenant?
>
> Thanks,
> DinushaD.
>
> On Mon, Nov 27, 2017 at 11:41 AM, Viduranga Gunarathne <vidura...@wso2.com
> > wrote:
>
>> Hi,
>>
>> Attached below is a sample tenant-conf.json and synapse config featuring
>> the proposed implementation.
>>
>> Config in tenant-conf.json
>> ------------------------------------------------------------
>> ------------------------------------------------------------
>> ----------------
>>
>> {
>> ...
>> "CustomOAuth2Header" : "ENG_Auth",
>>
>> "RemoveOAuthHeadersFromOutMessage" : true
>> ...
>> }
>>
>>
>> Config injected into synapse config file:
>> ------------------------------------------------------------
>> ------------------------------------------------------------
>> ----------------
>>
>> <handlers>
>>
>> ...
>>
>> <handler class="org.wso2.carbon.apimgt.
>> gateway.handlers.security.APIAuthenticationHandler">
>>
>> <property name="customOAuthHeader" value="ENG_Auth"/>
>>
>> <property name="RemoveOAuthHeadersFromOutMessage" value="true"/>
>>
>> </handler>
>>
>> ...
>>
>> </handlers>
>>
>> Thanks,
>> Viduranga.
>>
>> On Mon, Nov 27, 2017 at 10:58 AM, Nuwan Dias <nuw...@wso2.com> wrote:
>>
>>> This design looks good. Please send a sample of the synapse config (only
>>> the portion that gets modified) so that users get a good picture of how
>>> this is supposed to be injected to the Gateway handler.
>>>
>>> On Mon, Nov 27, 2017 at 10:43 AM, Viduranga Gunarathne <
>>> vidura...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> APIs in APIM 2.1.0 are secured with OAuth2 access tokens. In order to
>>>> access an API, the consumers should generate an access token and the
>>>> particular request should contain the generated token as an HTTP header.
>>>>
>>>> *Eg: "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a"*
>>>>
>>>>
>>>> *Problems:*
>>>>
>>>> i) As per the current implementation of API-M 2.1.0 the structure of
>>>> the access token is as above and the header field is hard coded to be
>>>> *"Authorization"*. When the Gateway receives a request to access a
>>>> resource, it looks for the access token by referring to the
>>>> header field "Authorization". The proposed implementation is to give each
>>>> and every tenant in the system, the capability to have a, "per tenant"
>>>> based customized authorization header field.
>>>>
>>>>
>>>> Eg:
>>>>
>>>> Tenant 1 : hr.lk --> "HR_Auth : Bearer
>>>> NtBQkXoKElu0H1a1fQ0DWfo6IX4a"
>>>>
>>>> Tenant 2 : eng.lk --> "ENG_Auth : Bearer
>>>> NtBQkXoKElu0H1a1fQ0DWfo6IX4a"
>>>>
>>>>
>>>> NB: This feature also supports the current implementation of
>>>> "Authorization" as the header field, so that it doesn't affect the existing
>>>> API-Ms in production.
>>>>
>>>>
>>>> ii) In API-M 2.1.0 there is a feature to restrict the access token,
>>>> that is being sent in the request, to be passed through to the production
>>>> endpoint from the Gateway. The configuration relevant to this is in the
>>>> "api-manager.xml" and it is as follows;
>>>>
>>>> *
>>>> <RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage>*
>>>>
>>>> If the value is set to *true *then the Gateway will not pass the
>>>> access token to the back end and if it's *false*, then it will. Since
>>>> this configuration resides in the *"api-manager.xml"*, it applies in a
>>>> "per server" basis. The proposal is to migrate it to the
>>>> *"tenant-conf.json"
>>>> *so that this configuration can be applied in a "per tenant"
>>>> basis.
>>>>
>>>>
>>>>
>>>> *Solutions:*
>>>> The design of the proposed solutions for the two problems are as
>>>> follows:
>>>>
>>>> i) Proposed workflow for custom header field:
>>>>
>>>> a) Read a configuration from the "tenant-conf.json" for a customized
>>>> OAuth2 header field.
>>>> b) Insert the config into the synapse config file that is generated
>>>> once an API is published, so that it gets deployed in the Gateway.
>>>> c) Use the custom header when checking the access token from
>>>> "APIAuthenticationHandler" for authentication.
>>>>
>>>> d) If no configuration exists in the "tenant-conf.json", then check for
>>>> a config in "api-manager.xml" and follow step (b) and (c). This config will
>>>> act as global config for the server.
>>>>
>>>> e) If no configuraton exists in the api-manager.xml then the existing
>>>> workflow will execute using the "Authorization" header field.
>>>>
>>>>
>>>> ii) Proposed workflow for restricting the access token from being
>>>> passed to the backend.
>>>>
>>>> a) Read the "RemoveOAuthHeadersFromOutMessage" config from the
>>>> "tenant-conf.json"
>>>>
>>>> b) If no config exists in tenant-conf.json, then read it from the
>>>> "api-manager.xml"
>>>>
>>>>
>>>> Any ideas and suggestions are highly appreciated!
>>>>
>>>> Thanks,
>>>> Viduranga.
>>>>
>>>> [1] https://docs.wso2.com/display/AM210/Working+with+Access+Tokens
>>>> --
>>>> Regards,
>>>>
>>>> *Viduranga Gunarathne*
>>>>
>>>> *Software Engineer Intern*
>>>>
>>>>
>>>> *WSO2*
>>>> Email : vidura...@wso2.com
>>>> Mobile : +94712437484 <+94%2071%20243%207484>
>>>> Web : http://wso2.com
>>>> [image: https://wso2.com/signature] <https://wso2.com/signature>
>>>>
>>>
>>>
>>>
>>> --
>>> Nuwan Dias
>>>
>>> Software Architect - WSO2, Inc. http://wso2.com
>>> email : nuw...@wso2.com
>>> Phone : +94 777 775 729 <+94%2077%20777%205729>
>>>
>>
>>
>>
>> --
>> Regards,
>>
>> *Viduranga Gunarathne*
>>
>> *Software Engineer Intern*
>>
>>
>> *WSO2*
>> Email : vidura...@wso2.com
>> Mobile : +94712437484 <+94%2071%20243%207484>
>> Web : http://wso2.com
>> [image: https://wso2.com/signature] <https://wso2.com/signature>
>>
>> _______________________________________________
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Dinusha Dissanayake
> Software Engineer
> WSO2 Inc
> Mobile: +94712939439 <+94%2071%20293%209439>
> <https://wso2.com/signature>
>
--
Regards,
*Viduranga Gunarathne*
*Software Engineer Intern*
*WSO2*
Email : vidura...@wso2.com
Mobile : +94712437484
Web : http://wso2.com
[image: https://wso2.com/signature] <https://wso2.com/signature>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
