If just the token authentication handlers in the gateway and filters in micro gateway are the way to go. However, if the expectation is integrated seamless flow with developer market place experience. There is an improvement in the store to obtain the tokens and generate directly from the 3rd party IDP.
On Wed, Mar 6, 2019 at 11:24 AM Johann Nallathamby <joh...@wso2.com> wrote: > APIM Team, > > I would like to understand what was the original reason we went with a 3rd > party key manager extension in our key manager component, rather than > giving the extensibility to integrate a 3rd party key manager at the > gateway itself. > > What are the problems in supporting 3rd party Key Manager integrations > directly from the API Gateway; avoiding the WSO2 Key Manager at all. We can > provide a well designed OAuth2 security handler on the gateway, with > template methods to extend and integrate 3rd party KMs? > > Pros: > 1. Taking advantage of standards such as OAuth2/OpenID Connect which are > supported by many vendors already, will reduce developer effort to > understand protocols, will reduce development time and increase > reusability. I feel like we are just complicating the process by going > through a constricted API layer. > 2. Higher level SPIs like handlers in the gateway are much easier to > understand and more people have worked with those SPIs already for other > purposes. > 3. It gives you more flexibility to integrate with key manager, because > there is more contextual information available in gateway. > E.g. recently in a customer engagement I came across the requirement to > integrate with multiple 3rd party key managers, based on hostname of the > API request, using one gateway handler extension. > 4. It is seen as a security vulnerability to share the access tokens and > refresh tokens via a 3rd part component in between client and actual token > provider. > 5. We don't need to have our key manager in the deployment if we can > directly integrate with the 3rd party key manager, which saves running cost > for the customer. > > Cons: > 1. The contract of the handler may not be as clear as the key manager > extension, because it is a more generic extension than the key manager > extension; the key manager extension could be more tighter. But this can be > improved by design patterns. > > I believe the pros out weigh the cons. If you think the key manager > extension point is also important, then we can have two levels of extension > points, and choose depending on what we think is the best for the > requirement. > > What is your opinion on this? > > Thanks & Regards, > Johann. > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com > [image: Signature.jpg] > -- *1G*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
