On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote:
> > > On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com> > wrote: > >> I think we can make it optional. >> If the particular app (token) doesn't have any subscriptions, the APIM >> IDP will always send an empty subscribedAPIs array. >> "subscribedAPIs": [] >> >> That means there are no subscriptions for this app (token) hence we can >> fail the validation. >> If the subscribedAPIs element is not available at all, I think we can >> safely assume that the JWT is from a different IDP. If it is trusted, we >> can bypass subscription validation. >> > That's the approach which we already using in the MG as well. > The MGW approach is slightly different. MG validates subscription only if the array at least contains one element. Sending an empty array will also pass in the MGW . This is because when APIM key manager is used customers might not want to enforce subscriptions. > In some cases, subscription validation can be performed in IDP side using >> scopes itself. So I don't think bypassing the validation would be a big >> issue. >> >> Thanks! >> >> >> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com> >> wrote: >> >>> >>> >>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com> >>> wrote: >>> >>>> Hi Johann, >>>> >>>> How about supporting 3rd party Key Manager generated JWT access tokens? >>>>> Will that work? 'jti' is an optional field as I remember. How would >>>>> caching >>>>> be impacted in that case? >>>>> >>>> >>>> Good that you pointed out that. Then, we will have to use the whole >>>> token as the key to the cache entry. >>>> >>> 3rd party KM doesn't know about the APIM subscription and I don't think >>> it is possible to customize at the IDP side. Other claims can be included >>> using customization or configuration. >>> >>>> >>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com> >>>> wrote: >>>> >>>>> Hi Chamod, >>>>> >>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Harsha, >>>>>> >>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement >>>>>>> the revocation support as well as we already have the backend >>>>>>> implementation? >>>>>> >>>>>> >>>>>> Yes, we will. >>>>>> >>>>> >>>>> I hope we are planning to follow the same real-time and persistent >>>>> approach(with etc) similar to the mcirogateway for this. Or is there a >>>>> different plan? >>>>> >>>>>> >>>>>> Best regards. >>>>>> >>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to >>>>>>> implement the revocation support as well as we already have the backend >>>>>>> implementation? >>>>>>> >>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <cha...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I'm currently working on developing a new feature to support JWT >>>>>>>> authentication for API Gateway. >>>>>>>> [image: JWT-Auth.jpg] >>>>>>>> >>>>>>>> *Approach* >>>>>>>> The API Authentication Handler will forward the request to OAuth >>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the >>>>>>>> token >>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>>>>> passed >>>>>>>> to the JWT validator which will be used to verify the token signature >>>>>>>> and >>>>>>>> populate the Authentication Context information. >>>>>>>> >>>>>>>> A sample payload of JWT token which is used to populate the >>>>>>>> Authentication Context. >>>>>>>> >>>>>>>> { >>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>> "sub": "admin@carbon.super", >>>>>>>> "application": { >>>>>>>> "owner": "admin", >>>>>>>> "tier": "Unlimited", >>>>>>>> "name": "DefaultApplication", >>>>>>>> "id": 1 >>>>>>>> }, >>>>>>>> "scope": "am_application_scope default", >>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>> "keytype": "PRODUCTION", >>>>>>>> "subscribedAPIs": [ >>>>>>>> { >>>>>>>> "subscriberTenantDomain": "carbon.super", >>>>>>>> "name": "PizzaShackAPI", >>>>>>>> "context": "/pizzashack/1.0.0", >>>>>>>> "publisher": "admin", >>>>>>>> "version": "1.0.0", >>>>>>>> "subscriptionTier": "Gold" >>>>>>>> } >>>>>>>> ], >>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>>>>> "exp": 1561701126, >>>>>>>> "iat": 1561697526, >>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>>>>> } >>>>>>>> >>>>>>>> We are hoping to use the same caches used for OAuth tokens to store >>>>>>>> the JWT tokens as well. In that scenario, the payload will be stored >>>>>>>> as a >>>>>>>> JSONObject in the cache as the value and the key will be the "jti" >>>>>>>> value >>>>>>>> (Unique identifier of the token) of the token. >>>>>>>> >>>>>>>> The swagger stored in the gateway as a local entry will be used to >>>>>>>> - retrieve the missing information in the payload of JWT token >>>>>>>> such as "API tier" >>>>>>>> - retrieve scopes bound to the resource for scope validation >>>>>>>> >>>>>>>> The related Git issue can be found here [1]. I would really >>>>>>>> appreciate any feedback. Thank you. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Chamod. >>>>>>>> >>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: hars...@wso2.coim >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> >>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>>> Mobile : +94772338839 | fazl...@wso2.com >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. >>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Malintha Amarasinghe >> *WSO2, Inc. - lean | enterprise | middleware* >> http://wso2.com/ >> >> Mobile : +94 712383306 >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: hars...@wso2.coim > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com> <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture