Hi Sanjeewa, Irrespective of the method we use to implement this, once we choose a mechanism, we will not be able to refer to the JWT tokens as self-contained, isn't it? Because we will have to depend on an external party to decide the validity of a token.
AFAIU, I think the pub/sub model and push model has a disadvantage if the process running the topic(in pub/sub model) or the microgateway(in push model) restarted(unless we repopulate the topic or the mgw memory on each restart with JTIs of unexpired revoked tokens). With the Pull model, I don't see this issue. the key manager only needs to store the unexpired revoked token information. I also feel that we need to introduce a config to switch on enabling/disabling this feature so that we can also use the microgateways in the current mode. On Thu, Feb 7, 2019 at 3:58 PM Sanjeewa Malalgoda <sanje...@wso2.com> wrote: > Hi All, > I'm initiating this mail thread to discuss more about JWT token revocation > feature we are planning to implement for API Manager micro-gateway. In API > Manager micro-gateway we do support both oauth access tokens and JWT access > tokens. When we use OAuth access tokens we can revoke them and make it > effect immediately. Since all OAuth tokens geting validated with key > manager revoked tokens will fail validation. When we use JWT token we do > token validation within gateway itself without calling key manager or > external party. Since JWT is self contained one we are basically trust its > content as long as token not expired and signature valid. Then it will be a > problem. > > So we will need to have some mechanism to propagate revoked token details > to micro-gateways as well. Since self contained token revocation is > ineffective(there can be multiple token contents for same valid JTI due to > generated time and signature changes) most suitable way of doing this is > using JTI to identify revoked tokens. When JWT revoked we need to revoke it > using JTI. If we can send revoked JTI list to micro-gateway then we can > check that as part of key validation process. > > We need to find a way to send revoked JTI to microgateways, > Pub/sub model - all gateways need to subscribe to topic and get updated > about revoked tokens. > Pull Model - micro-gateways will call key manager or management server and > get update about revoked tokens > Push Model - Management server or key manager plugin will call all > deployed micro services and send revoked JWT list. > Each of these methods will have their own advantages and disadvantages. > Lets use this mail to discuss those in detail and come to conclusion. > > Thanks, > sanjeewa. > -- > *Sanjeewa Malalgoda* > Software Architect | Associate Director, Engineering - WSO2 Inc. > (m) +94 712933253 | (e) sanje...@wso2.com | (b) Blogger > <http://sanjeewamalalgoda.blogspot.com>, Medium > <https://medium.com/@sanjeewa190> > > GET INTEGRATION AGILE <https://wso2.com/signature> > Integration Agility for Digitally Driven Business > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Thanks & Regards, *Fazlan Nazeem* Associate Technical Lead WSO2 Inc Mobile : +94772338839 fazl...@wso2.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture