If it is needed to support subscriptions with third party KMs, do we have possible approaches? E.g. Maintain application id -> subscribed APIs mapping in APIM KM and let APIM KMs to generate JWTs by fetching necessary information (scopes, application data) from a third party KM.
On Sat, Jun 29, 2019 at 9:38 AM Harsha Kumara <hars...@wso2.com> wrote: > > > On Sat, Jun 29, 2019 at 9:31 AM Rajith Roshan <raji...@wso2.com> wrote: > >> >> >> On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote: >> >>> >>> >>> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <malint...@wso2.com> >>> wrote: >>> >>>> I think we can make it optional. >>>> If the particular app (token) doesn't have any subscriptions, the APIM >>>> IDP will always send an empty subscribedAPIs array. >>>> "subscribedAPIs": [] >>>> >>>> That means there are no subscriptions for this app (token) hence we can >>>> fail the validation. >>>> If the subscribedAPIs element is not available at all, I think we can >>>> safely assume that the JWT is from a different IDP. If it is trusted, we >>>> can bypass subscription validation. >>>> >>> That's the approach which we already using in the MG as well. >>> >> The MGW approach is slightly different. MG validates subscription only if >> the array at least contains one element. Sending an empty array will also >> pass in the MGW . This is because when APIM key manager is used customers >> might not want to enforce subscriptions. >> > I think only difference is allowing request to flow through when > subscriptions list is empty. This should be done because of developer first > approach. I think we can use same way as @Malintha Amarasinghe > <malint...@wso2.com> mentioned. > >> In some cases, subscription validation can be performed in IDP side using >>>> scopes itself. So I don't think bypassing the validation would be a big >>>> issue. >>>> >>>> Thanks! >>>> >>>> >>>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Johann, >>>>>> >>>>>> How about supporting 3rd party Key Manager generated JWT access >>>>>>> tokens? Will that work? 'jti' is an optional field as I remember. How >>>>>>> would >>>>>>> caching be impacted in that case? >>>>>>> >>>>>> >>>>>> Good that you pointed out that. Then, we will have to use the whole >>>>>> token as the key to the cache entry. >>>>>> >>>>> 3rd party KM doesn't know about the APIM subscription and I don't >>>>> think it is possible to customize at the IDP side. Other claims can be >>>>> included using customization or configuration. >>>>> >>>>>> >>>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Chamod, >>>>>>> >>>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <cha...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Harsha, >>>>>>>> >>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to >>>>>>>>> implement the revocation support as well as we already have the >>>>>>>>> backend >>>>>>>>> implementation? >>>>>>>> >>>>>>>> >>>>>>>> Yes, we will. >>>>>>>> >>>>>>> >>>>>>> I hope we are planning to follow the same real-time and persistent >>>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a >>>>>>> different plan? >>>>>>> >>>>>>>> >>>>>>>> Best regards. >>>>>>>> >>>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to >>>>>>>>> implement the revocation support as well as we already have the >>>>>>>>> backend >>>>>>>>> implementation? >>>>>>>>> >>>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa < >>>>>>>>> cha...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I'm currently working on developing a new feature to support JWT >>>>>>>>>> authentication for API Gateway. >>>>>>>>>> [image: JWT-Auth.jpg] >>>>>>>>>> >>>>>>>>>> *Approach* >>>>>>>>>> The API Authentication Handler will forward the request to OAuth >>>>>>>>>> Authenticator. Then the OAuth Authenticator will identify whether >>>>>>>>>> the token >>>>>>>>>> is of type OAuth or JWT. If a JWT token is found the request will be >>>>>>>>>> passed >>>>>>>>>> to the JWT validator which will be used to verify the token >>>>>>>>>> signature and >>>>>>>>>> populate the Authentication Context information. >>>>>>>>>> >>>>>>>>>> A sample payload of JWT token which is used to populate the >>>>>>>>>> Authentication Context. >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>>>> "sub": "admin@carbon.super", >>>>>>>>>> "application": { >>>>>>>>>> "owner": "admin", >>>>>>>>>> "tier": "Unlimited", >>>>>>>>>> "name": "DefaultApplication", >>>>>>>>>> "id": 1 >>>>>>>>>> }, >>>>>>>>>> "scope": "am_application_scope default", >>>>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>>>> "keytype": "PRODUCTION", >>>>>>>>>> "subscribedAPIs": [ >>>>>>>>>> { >>>>>>>>>> "subscriberTenantDomain": "carbon.super", >>>>>>>>>> "name": "PizzaShackAPI", >>>>>>>>>> "context": "/pizzashack/1.0.0", >>>>>>>>>> "publisher": "admin", >>>>>>>>>> "version": "1.0.0", >>>>>>>>>> "subscriptionTier": "Gold" >>>>>>>>>> } >>>>>>>>>> ], >>>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a", >>>>>>>>>> "exp": 1561701126, >>>>>>>>>> "iat": 1561697526, >>>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d" >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> We are hoping to use the same caches used for OAuth tokens to >>>>>>>>>> store the JWT tokens as well. In that scenario, the payload will be >>>>>>>>>> stored >>>>>>>>>> as a JSONObject in the cache as the value and the key will be the >>>>>>>>>> "jti" >>>>>>>>>> value (Unique identifier of the token) of the token. >>>>>>>>>> >>>>>>>>>> The swagger stored in the gateway as a local entry will be used >>>>>>>>>> to >>>>>>>>>> - retrieve the missing information in the payload of JWT token >>>>>>>>>> such as "API tier" >>>>>>>>>> - retrieve scopes bound to the resource for scope validation >>>>>>>>>> >>>>>>>>>> The related Git issue can be found here [1]. I would really >>>>>>>>>> appreciate any feedback. Thank you. >>>>>>>>>> >>>>>>>>>> Best regards, >>>>>>>>>> Chamod. >>>>>>>>>> >>>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115 >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Harsha Kumara* >>>>>>>>> >>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>> Mobile: +94775505618 >>>>>>>>> Email: hars...@wso2.coim >>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> >>>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>>>>> Mobile : +94772338839 | fazl...@wso2.com >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc. >>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc. >>>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Malintha Amarasinghe >>>> *WSO2, Inc. - lean | enterprise | middleware* >>>> http://wso2.com/ >>>> >>>> Mobile : +94 712383306 >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: hars...@wso2.coim >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. >> (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com> >> >> <https://wso2.com/signature> >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: hars...@wso2.coim > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture