I think we can make it optional. If the particular app (token) doesn't have any subscriptions, the APIM IDP will always send an empty subscribedAPIs array. "subscribedAPIs": []
That means there are no subscriptions for this app (token) hence we can fail the validation. If the subscribedAPIs element is not available at all, I think we can safely assume that the JWT is from a different IDP. If it is trusted, we can bypass subscription validation. In some cases, subscription validation can be performed in IDP side using scopes itself. So I don't think bypassing the validation would be a big issue. Thanks! On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com> wrote: > > > On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com> > wrote: > >> Hi Johann, >> >> How about supporting 3rd party Key Manager generated JWT access tokens? >>> Will that work? 'jti' is an optional field as I remember. How would caching >>> be impacted in that case? >>> >> >> Good that you pointed out that. Then, we will have to use the whole token >> as the key to the cache entry. >> > 3rd party KM doesn't know about the APIM subscription and I don't think it > is possible to customize at the IDP side. Other claims can be included > using customization or configuration. > >> >> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com> wrote: >> >>> Hi Chamod, >>> >>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com> >>> wrote: >>> >>>> Hi Harsha, >>>> >>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement >>>>> the revocation support as well as we already have the backend >>>>> implementation? >>>> >>>> >>>> Yes, we will. >>>> >>> >>> I hope we are planning to follow the same real-time and persistent >>> approach(with etc) similar to the mcirogateway for this. Or is there a >>> different plan? >>> >>>> >>>> Best regards. >>>> >>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com> >>>> wrote: >>>> >>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement >>>>> the revocation support as well as we already have the backend >>>>> implementation? >>>>> >>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <cha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I'm currently working on developing a new feature to support JWT >>>>>> authentication for API Gateway. >>>>>> [image: JWT-Auth.jpg] >>>>>> >>>>>> *Approach* >>>>>> The API Authentication Handler will forward the request to OAuth >>>>>> Authenticator. Then the OAuth Authenticator will identify whether the >>>>>> token >>>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>>> passed >>>>>> to the JWT validator which will be used to verify the token signature and >>>>>> populate the Authentication Context information. >>>>>> >>>>>> A sample payload of JWT token which is used to populate the >>>>>> Authentication Context. >>>>>> >>>>>> { >>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>> "sub": "admin@carbon.super", >>>>>> "application": { >>>>>> "owner": "admin", >>>>>> "tier": "Unlimited", >>>>>> "name": "DefaultApplication", >>>>>> "id": 1 >>>>>> }, >>>>>> "scope": "am_application_scope default", >>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>> "keytype": "PRODUCTION", >>>>>> "subscribedAPIs": [ >>>>>> { >>>>>> "subscriberTenantDomain": "carbon.super", >>>>>> "name": "PizzaShackAPI", >>>>>> "context": "/pizzashack/1.0.0", >>>>>> "publisher": "admin", >>>>>> "version": "1.0.0", >>>>>> "subscriptionTier": "Gold" >>>>>> } >>>>>> ], >>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>>> "exp": 1561701126, >>>>>> "iat": 1561697526, >>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>>> } >>>>>> >>>>>> We are hoping to use the same caches used for OAuth tokens to store >>>>>> the JWT tokens as well. In that scenario, the payload will be stored as a >>>>>> JSONObject in the cache as the value and the key will be the "jti" value >>>>>> (Unique identifier of the token) of the token. >>>>>> >>>>>> The swagger stored in the gateway as a local entry will be used to >>>>>> - retrieve the missing information in the payload of JWT token such >>>>>> as "API tier" >>>>>> - retrieve scopes bound to the resource for scope validation >>>>>> >>>>>> The related Git issue can be found here [1]. I would really >>>>>> appreciate any feedback. Thank you. >>>>>> >>>>>> Best regards, >>>>>> Chamod. >>>>>> >>>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>>> >>>>>> -- >>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: hars...@wso2.coim >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>> Mobile : +94772338839 | fazl...@wso2.com >>> >>> >>> >> >> -- >> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. > (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Malintha Amarasinghe *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture