Hi, If someone used this API Key in authorization bearer header, it will work just like another JWT token. To avoid this, we need to differentiate API Key and other JWTs. Even if we provide a separate header for the API Key, the above issue will not be solved.
On Mon, Dec 9, 2019 at 4:59 PM Fazlan Nazeem <fazl...@wso2.com> wrote: > Ok, this should be because we are using a different header than the > authentication header for API Key in synapse gateway. I assume what we are > trying here is to use both types of tokens in the authentication header? > > On Mon, Dec 9, 2019 at 4:41 PM Praminda Jayawardana <prami...@wso2.com> > wrote: > >> It didn't look like synapse gateway did a differentiation between these >> two cases. +Rajith Roshan <raji...@wso2.com> tested it. API Key didn't >> work in Auth header simply because there was a missing attribute in the >> JWT. It doesn't result in "Invalid JWT token" or similar error as expected. >> >> On Mon, Dec 9, 2019 at 4:34 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >> >>> We should be identifying both separately already in the synapse gateway. >>> Have you checked how it has been done and stick to the same if possible for >>> consistency? >>> >>> On Mon, Dec 9, 2019 at 3:56 PM Amali Matharaarachchi <ama...@wso2.com> >>> wrote: >>> >>>> Hi all, >>>> >>>> We need to differentiate the API Key from a normal JWT token. The API >>>> Key is a simple JWT but when an API Key is provided we need to authenticate >>>> the user as well. >>>> For this purpose, we added the additional claim "apiKey" to the issuing >>>> JWT. If it is present in the token, it will be recognized as an API Key. >>>> I highly appreciate if you have any suggestions regarding this. >>>> >>>> Thanks. >>>> >>>> On Fri, Dec 6, 2019 at 3:54 PM Amali Matharaarachchi <ama...@wso2.com> >>>> wrote: >>>> >>>>> Hi Harsha, >>>>> >>>>> Will the token endpoint is default one and provide an option to point >>>>>> to the key manager in a standard deployment? >>>>> >>>>> >>>>> Configurations similar to the following are added to micro-gw.conf >>>>> file to enable the self JWT issuer and to provide related configurations >>>>> [1]. >>>>> >>>>> [jwtTokenConfig]issuer="https://localhost:9443/oauth2/token"audience="http://org.wso2.apimgt/gateway"certificateAlias="wso2apim"validateSubscription=false >>>>> [jwtTokenConfig.jwtIssuer]enabled=falsevalidityPeriod=600keyStoreAlias="ballerina" >>>>> >>>>> >>>>> >>>>>> What's the endpoint that we going to provide and how the request >>>>>> would look like to get a key? >>>>> >>>>> >>>>> The token endpoint would issue the self JWT token when JWT issuer is >>>>> enabled in the config [2]. >>>>> >>>>> curl -X get "https://localhost:9096/token" -H "Authorization:Basic >>>>> Z2VuZXJhbFVzZXIxOnBhc3N3b3Jk" -k >>>>> >>>>> [1] >>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-561996404 >>>>> [2] >>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-562422055 >>>>> >>>>> On Fri, Dec 6, 2019 at 3:03 PM Amali Matharaarachchi <ama...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> There is a Slack Discussion[1] in #microgateway channel as well. >>>>>> >>>>>> [1] https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900 >>>>>> <https://www.google.com/url?q=https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900&sa=D&source=hangouts&ust=1575710969667000&usg=AFQjCNGG0eIVN13izofrh7vcvPxPyP-NYA> >>>>>> >>>>>> On Fri, Dec 6, 2019 at 2:48 PM Harsha Kumara <hars...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Please discuss this in public groups. >>>>>>> >>>>>>> What's the endpoint that we going to provide and how the request >>>>>>> would look like to get a key? >>>>>>> >>>>>>> Will the token endpoint is default one and provide an option to >>>>>>> point to the key manager in a standard deployment? >>>>>>> >>>>>>> >>>>>>> On Fri, Dec 6, 2019 at 2:31 PM Amali Matharaarachchi < >>>>>>> ama...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> We are planning to add a feature for issuing simple JWTs which are >>>>>>>> to be used in Microgateway. Please refer GitHub issue [1] for more >>>>>>>> information. >>>>>>>> >>>>>>>> This feature addresses the user story "As a developer, I would like >>>>>>>> to invoke my micro gateway API easily without configuring a key >>>>>>>> manager". A >>>>>>>> self-contained JWT token should be issued as the API key by the >>>>>>>> Microgateway server without communicating with an external Key >>>>>>>> Manager. This API key would later use to authenticate the user when >>>>>>>> invoking an API. >>>>>>>> >>>>>>>> A token endpoint secured with basic authentication would be >>>>>>>> provided to issue the API Key. When invoked with this API Key, API >>>>>>>> key's >>>>>>>> sub claim could be used to authenticate the user and validate that the >>>>>>>> user >>>>>>>> has the privilege. >>>>>>>> >>>>>>>> JWT token format would be similar to: >>>>>>>> header >>>>>>>> { >>>>>>>> "alg": "RS256", >>>>>>>> "typ": "jwt", >>>>>>>> "kid": "ballerina" >>>>>>>> } >>>>>>>> payload >>>>>>>> { >>>>>>>> "sub": "generalUser1", >>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>> "exp": 1575620540, >>>>>>>> "iat": 1575619940, >>>>>>>> "jti": "bb38e533-e127-4991-95a2-7a383e634eba", >>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>> "apiKey": true >>>>>>>> } >>>>>>>> >>>>>>>> We highly appreciate your suggestions. Thank you. >>>>>>>> >>>>>>>> [1] https://github.com/wso2/product-microgateway/issues/897 >>>>>>>> -- >>>>>>>> *Amali Lakshika* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>>> 1861* >>>>>>>> >>>>>>>> *skype: amali.94d* >>>>>>>> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: hars...@wso2.coim >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Amali Lakshika* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>> 1861* >>>>>> >>>>>> *skype: amali.94d* >>>>>> >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Amali Lakshika* >>>>> >>>>> >>>>> >>>>> >>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>> 1861* >>>>> >>>>> *skype: amali.94d* >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Amali Lakshika* >>>> >>>> >>>> >>>> >>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* >>>> >>>> *skype: amali.94d* >>>> >>>> <http://wso2.com/signature> >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>> Mobile : +94772338839 | fazl...@wso2.com >>> >>> >>> >> >> -- >> >> *Praminda Jayawardana* | Associate Technical Lead | WSO2 Inc. >> (m) +94 (0) 716 590918 | (e) prami...@wso2.com >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Thanks & Regards, > > *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc > Mobile : +94772338839 | fazl...@wso2.com > > > -- *Amali Lakshika* *Software EngineerWSO2 Inc.: https://wso2.com <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* *skype: amali.94d* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture