On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote:
>
>
> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com>
> wrote:
>
>> I think we can make it optional.
>> If the particular app (token) doesn't have any subscriptions, the APIM
>> IDP will always send an empty subscribedAPIs array.
>> "subscribedAPIs": []
>>
>> That means there are no subscriptions for this app (token) hence we can
>> fail the validation.
>> If the subscribedAPIs element is not available at all, I think we can
>> safely assume that the JWT is from a different IDP. If it is trusted, we
>> can bypass subscription validation.
>>
> That's the approach which we already using in the MG as well.
>
The MGW approach is slightly different. MG validates subscription only if
the array at least contains one element. Sending an empty array will also
pass in the MGW . This is because when APIM key manager is used customers
might not want to enforce subscriptions.
> In some cases, subscription validation can be performed in IDP side using
>> scopes itself. So I don't think bypassing the validation would be a big
>> issue.
>>
>> Thanks!
>>
>>
>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Johann,
>>>>
>>>> How about supporting 3rd party Key Manager generated JWT access tokens?
>>>>> Will that work? 'jti' is an optional field as I remember. How would
>>>>> caching
>>>>> be impacted in that case?
>>>>>
>>>>
>>>> Good that you pointed out that. Then, we will have to use the whole
>>>> token as the key to the cache entry.
>>>>
>>> 3rd party KM doesn't know about the APIM subscription and I don't think
>>> it is possible to customize at the IDP side. Other claims can be included
>>> using customization or configuration.
>>>
>>>>
>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Chamod,
>>>>>
>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Harsha,
>>>>>>
>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to implement
>>>>>>> the revocation support as well as we already have the backend
>>>>>>> implementation?
>>>>>>
>>>>>>
>>>>>> Yes, we will.
>>>>>>
>>>>>
>>>>> I hope we are planning to follow the same real-time and persistent
>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a
>>>>> different plan?
>>>>>
>>>>>>
>>>>>> Best regards.
>>>>>>
>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>> implement the revocation support as well as we already have the backend
>>>>>>> implementation?
>>>>>>>
>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <cha...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> I'm currently working on developing a new feature to support JWT
>>>>>>>> authentication for API Gateway.
>>>>>>>> [image: JWT-Auth.jpg]
>>>>>>>>
>>>>>>>> *Approach*
>>>>>>>> The API Authentication Handler will forward the request to OAuth
>>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether the
>>>>>>>> token
>>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be
>>>>>>>> passed
>>>>>>>> to the JWT validator which will be used to verify the token signature
>>>>>>>> and
>>>>>>>> populate the Authentication Context information.
>>>>>>>>
>>>>>>>> A sample payload of JWT token which is used to populate the
>>>>>>>> Authentication Context.
>>>>>>>>
>>>>>>>> {
>>>>>>>> "aud": "http://org.wso2.apimgt/gateway";,
>>>>>>>> "sub": "admin@carbon.super",
>>>>>>>> "application": {
>>>>>>>> "owner": "admin",
>>>>>>>> "tier": "Unlimited",
>>>>>>>> "name": "DefaultApplication",
>>>>>>>> "id": 1
>>>>>>>> },
>>>>>>>> "scope": "am_application_scope default",
>>>>>>>> "iss": "https://localhost:9443/oauth2/token";,
>>>>>>>> "keytype": "PRODUCTION",
>>>>>>>> "subscribedAPIs": [
>>>>>>>> {
>>>>>>>> "subscriberTenantDomain": "carbon.super",
>>>>>>>> "name": "PizzaShackAPI",
>>>>>>>> "context": "/pizzashack/1.0.0",
>>>>>>>> "publisher": "admin",
>>>>>>>> "version": "1.0.0",
>>>>>>>> "subscriptionTier": "Gold"
>>>>>>>> }
>>>>>>>> ],
>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
>>>>>>>> "exp": 1561701126,
>>>>>>>> "iat": 1561697526,
>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
>>>>>>>> }
>>>>>>>>
>>>>>>>> We are hoping to use the same caches used for OAuth tokens to store
>>>>>>>> the JWT tokens as well. In that scenario, the payload will be stored
>>>>>>>> as a
>>>>>>>> JSONObject in the cache as the value and the key will be the "jti"
>>>>>>>> value
>>>>>>>> (Unique identifier of the token) of the token.
>>>>>>>>
>>>>>>>> The swagger stored in the gateway as a local entry will be used to
>>>>>>>> - retrieve the missing information in the payload of JWT token
>>>>>>>> such as "API tier"
>>>>>>>> - retrieve scopes bound to the resource for scope validation
>>>>>>>>
>>>>>>>> The related Git issue can be found here [1]. I would really
>>>>>>>> appreciate any feedback. Thank you.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Chamod.
>>>>>>>>
>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115
>>>>>>>>
>>>>>>>> --
>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>> GET INTEGRATION AGILE
>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *Harsha Kumara*
>>>>>>>
>>>>>>> Technical Lead, WSO2 Inc.
>>>>>>> Mobile: +94775505618
>>>>>>> Email: hars...@wso2.coim
>>>>>>> Blog: harshcreationz.blogspot.com
>>>>>>>
>>>>>>> GET INTEGRATION AGILE
>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>> GET INTEGRATION AGILE
>>>>>> Integration Agility for Digitally Driven Business
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks & Regards,
>>>>>
>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc
>>>>> Mobile : +94772338839 | fazl...@wso2.com
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>> GET INTEGRATION AGILE
>>>> Integration Agility for Digitally Driven Business
>>>>
>>>
>>>
>>> --
>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc.
>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>> Malintha Amarasinghe
>> *WSO2, Inc. - lean | enterprise | middleware*
>> http://wso2.com/
>>
>> Mobile : +94 712383306
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>
--
*Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
(m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com>
<https://wso2.com/signature>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
