I think we can make it optional.
If the particular app (token) doesn't have any subscriptions, the APIM IDP
will always send an empty subscribedAPIs array.
"subscribedAPIs": []
That means there are no subscriptions for this app (token) hence we can
fail the validation.
If the subscribedAPIs element is not available at all, I think we can
safely assume that the JWT is from a different IDP. If it is trusted, we
can bypass subscription validation.
In some cases, subscription validation can be performed in IDP side using
scopes itself. So I don't think bypassing the validation would be a big
issue.
Thanks!
On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com>
wrote:
>
>
> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com>
> wrote:
>
>> Hi Johann,
>>
>> How about supporting 3rd party Key Manager generated JWT access tokens?
>>> Will that work? 'jti' is an optional field as I remember. How would caching
>>> be impacted in that case?
>>>
>>
>> Good that you pointed out that. Then, we will have to use the whole token
>> as the key to the cache entry.
>>
> 3rd party KM doesn't know about the APIM subscription and I don't think it
> is possible to customize at the IDP side. Other claims can be included
> using customization or configuration.
>
>>
>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com> wrote:
>>
>>> Hi Chamod,
>>>
>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Harsha,
>>>>
>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement
>>>>> the revocation support as well as we already have the backend
>>>>> implementation?
>>>>
>>>>
>>>> Yes, we will.
>>>>
>>>
>>> I hope we are planning to follow the same real-time and persistent
>>> approach(with etc) similar to the mcirogateway for this. Or is there a
>>> different plan?
>>>
>>>>
>>>> Best regards.
>>>>
>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com>
>>>> wrote:
>>>>
>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement
>>>>> the revocation support as well as we already have the backend
>>>>> implementation?
>>>>>
>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <cha...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I'm currently working on developing a new feature to support JWT
>>>>>> authentication for API Gateway.
>>>>>> [image: JWT-Auth.jpg]
>>>>>>
>>>>>> *Approach*
>>>>>> The API Authentication Handler will forward the request to OAuth
>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the
>>>>>> token
>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be
>>>>>> passed
>>>>>> to the JWT validator which will be used to verify the token signature and
>>>>>> populate the Authentication Context information.
>>>>>>
>>>>>> A sample payload of JWT token which is used to populate the
>>>>>> Authentication Context.
>>>>>>
>>>>>> {
>>>>>> "aud": "http://org.wso2.apimgt/gateway";,
>>>>>> "sub": "admin@carbon.super",
>>>>>> "application": {
>>>>>> "owner": "admin",
>>>>>> "tier": "Unlimited",
>>>>>> "name": "DefaultApplication",
>>>>>> "id": 1
>>>>>> },
>>>>>> "scope": "am_application_scope default",
>>>>>> "iss": "https://localhost:9443/oauth2/token";,
>>>>>> "keytype": "PRODUCTION",
>>>>>> "subscribedAPIs": [
>>>>>> {
>>>>>> "subscriberTenantDomain": "carbon.super",
>>>>>> "name": "PizzaShackAPI",
>>>>>> "context": "/pizzashack/1.0.0",
>>>>>> "publisher": "admin",
>>>>>> "version": "1.0.0",
>>>>>> "subscriptionTier": "Gold"
>>>>>> }
>>>>>> ],
>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
>>>>>> "exp": 1561701126,
>>>>>> "iat": 1561697526,
>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
>>>>>> }
>>>>>>
>>>>>> We are hoping to use the same caches used for OAuth tokens to store
>>>>>> the JWT tokens as well. In that scenario, the payload will be stored as a
>>>>>> JSONObject in the cache as the value and the key will be the "jti" value
>>>>>> (Unique identifier of the token) of the token.
>>>>>>
>>>>>> The swagger stored in the gateway as a local entry will be used to
>>>>>> - retrieve the missing information in the payload of JWT token such
>>>>>> as "API tier"
>>>>>> - retrieve scopes bound to the resource for scope validation
>>>>>>
>>>>>> The related Git issue can be found here [1]. I would really
>>>>>> appreciate any feedback. Thank you.
>>>>>>
>>>>>> Best regards,
>>>>>> Chamod.
>>>>>>
>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115
>>>>>>
>>>>>> --
>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>> GET INTEGRATION AGILE
>>>>>> Integration Agility for Digitally Driven Business
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Harsha Kumara*
>>>>>
>>>>> Technical Lead, WSO2 Inc.
>>>>> Mobile: +94775505618
>>>>> Email: hars...@wso2.coim
>>>>> Blog: harshcreationz.blogspot.com
>>>>>
>>>>> GET INTEGRATION AGILE
>>>>> Integration Agility for Digitally Driven Business
>>>>>
>>>>
>>>>
>>>> --
>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>> GET INTEGRATION AGILE
>>>> Integration Agility for Digitally Driven Business
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc
>>> Mobile : +94772338839 | fazl...@wso2.com
>>>
>>>
>>>
>>
>> --
>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc.
> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>
--
Malintha Amarasinghe
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/
Mobile : +94 712383306
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
