On Fri, Dec 13, 2019 at 11:34 AM Amali Matharaarachchi <ama...@wso2.com> wrote:
> Hi all, > > I have several concerns regarding the current approach. I highly > appreciate your suggestions. @Rajith Roshan <raji...@wso2.com> Please add > if I have missed out anything. > > 1. How to differentiate the API Key and JWT token. > API Key issued from the Microgateway has additional claim "apikey: true". > This claim will be used to recognize if it is an API Key when an API Key is > given as bearer authorization. > However, an API Key and a JWT token released from API Manager cannot be > differentiated in Microgateway. > API Key will come in apiKey header or query parameters. Hence I don't see a problem of differentiating them. > > 2. Add an adequate level of security to API Key issued from Microgateway. > We validate the user given in the subject claim of the API Key. The > invocation request will be authorized if only the subjected user is > configured in the gateway which received the API invocation request. > Since configuring users isn't scalable solution, did we look for any alternatives? > > 3. Add a list of APIs to the API Key to indicate which APIs can be > accessed from the issued API Key. > This is not addressed by the current implementation. Beforehand there is a > couple of concerns we need to address for cases such as load-balanced micro > gateways. > > 4. Issues on API Key with Load balancing. > When a API Key is requested with basic auth, some gateway which can > authorize the request would answer the call and issue an API Key. We do not > control which gateway will answer this request. This is a blocker to > achieve the 3rd option. > Also, we do not control which gateway will handle the API invocation > request. The gateway which answers the API invocation call can authorize > the request only after validating the user with its own user > configurations. Hence ideally, the user configurations should be identical > in gateways. > > Kindly let me know your thoughts. Thank you. > > On Mon, Dec 9, 2019 at 5:06 PM Amali Matharaarachchi <ama...@wso2.com> > wrote: > >> Hi, >> If someone used this API Key in authorization bearer header, it will work >> just like another JWT token. To avoid this, we need to differentiate API >> Key and other JWTs. Even if we provide a separate header for the API Key, >> the above issue will not be solved. >> >> On Mon, Dec 9, 2019 at 4:59 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >> >>> Ok, this should be because we are using a different header than the >>> authentication header for API Key in synapse gateway. I assume what we are >>> trying here is to use both types of tokens in the authentication header? >>> >>> On Mon, Dec 9, 2019 at 4:41 PM Praminda Jayawardana <prami...@wso2.com> >>> wrote: >>> >>>> It didn't look like synapse gateway did a differentiation between these >>>> two cases. +Rajith Roshan <raji...@wso2.com> tested it. API Key >>>> didn't work in Auth header simply because there was a missing attribute in >>>> the JWT. It doesn't result in "Invalid JWT token" or similar error as >>>> expected. >>>> >>>> On Mon, Dec 9, 2019 at 4:34 PM Fazlan Nazeem <fazl...@wso2.com> wrote: >>>> >>>>> We should be identifying both separately already in the synapse >>>>> gateway. Have you checked how it has been done and stick to the same if >>>>> possible for consistency? >>>>> >>>>> On Mon, Dec 9, 2019 at 3:56 PM Amali Matharaarachchi <ama...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> We need to differentiate the API Key from a normal JWT token. The API >>>>>> Key is a simple JWT but when an API Key is provided we need to >>>>>> authenticate >>>>>> the user as well. >>>>>> For this purpose, we added the additional claim "apiKey" to the >>>>>> issuing JWT. If it is present in the token, it will be recognized as an >>>>>> API Key. >>>>>> I highly appreciate if you have any suggestions regarding this. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Fri, Dec 6, 2019 at 3:54 PM Amali Matharaarachchi <ama...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Harsha, >>>>>>> >>>>>>> Will the token endpoint is default one and provide an option to >>>>>>>> point to the key manager in a standard deployment? >>>>>>> >>>>>>> >>>>>>> Configurations similar to the following are added to micro-gw.conf >>>>>>> file to enable the self JWT issuer and to provide related configurations >>>>>>> [1]. >>>>>>> >>>>>>> [jwtTokenConfig]issuer="https://localhost:9443/oauth2/token"audience="http://org.wso2.apimgt/gateway"certificateAlias="wso2apim"validateSubscription=false >>>>>>> [jwtTokenConfig.jwtIssuer]enabled=falsevalidityPeriod=600keyStoreAlias="ballerina" >>>>>>> >>>>>>> >>>>>>> >>>>>>>> What's the endpoint that we going to provide and how the request >>>>>>>> would look like to get a key? >>>>>>> >>>>>>> >>>>>>> The token endpoint would issue the self JWT token when JWT issuer is >>>>>>> enabled in the config [2]. >>>>>>> >>>>>>> curl -X get "https://localhost:9096/token" -H "Authorization:Basic >>>>>>> Z2VuZXJhbFVzZXIxOnBhc3N3b3Jk" -k >>>>>>> >>>>>>> [1] >>>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-561996404 >>>>>>> [2] >>>>>>> https://github.com/wso2/product-microgateway/issues/897#issuecomment-562422055 >>>>>>> >>>>>>> On Fri, Dec 6, 2019 at 3:03 PM Amali Matharaarachchi < >>>>>>> ama...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> There is a Slack Discussion[1] in #microgateway channel as well. >>>>>>>> >>>>>>>> [1] >>>>>>>> https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900 >>>>>>>> <https://www.google.com/url?q=https://wso2-apim.slack.com/archives/CLY1W0NSK/p1575007973020900&sa=D&source=hangouts&ust=1575710969667000&usg=AFQjCNGG0eIVN13izofrh7vcvPxPyP-NYA> >>>>>>>> >>>>>>>> On Fri, Dec 6, 2019 at 2:48 PM Harsha Kumara <hars...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Please discuss this in public groups. >>>>>>>>> >>>>>>>>> What's the endpoint that we going to provide and how the request >>>>>>>>> would look like to get a key? >>>>>>>>> >>>>>>>>> Will the token endpoint is default one and provide an option to >>>>>>>>> point to the key manager in a standard deployment? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Dec 6, 2019 at 2:31 PM Amali Matharaarachchi < >>>>>>>>> ama...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> We are planning to add a feature for issuing simple JWTs which >>>>>>>>>> are to be used in Microgateway. Please refer GitHub issue [1] for >>>>>>>>>> more >>>>>>>>>> information. >>>>>>>>>> >>>>>>>>>> This feature addresses the user story "As a developer, I would >>>>>>>>>> like to invoke my micro gateway API easily without configuring a key >>>>>>>>>> manager". A self-contained JWT token should be issued as the API key >>>>>>>>>> by the >>>>>>>>>> Microgateway server without communicating with an external Key >>>>>>>>>> Manager. This API key would later use to authenticate the user when >>>>>>>>>> invoking an API. >>>>>>>>>> >>>>>>>>>> A token endpoint secured with basic authentication would be >>>>>>>>>> provided to issue the API Key. When invoked with this API Key, API >>>>>>>>>> key's >>>>>>>>>> sub claim could be used to authenticate the user and validate that >>>>>>>>>> the user >>>>>>>>>> has the privilege. >>>>>>>>>> >>>>>>>>>> JWT token format would be similar to: >>>>>>>>>> header >>>>>>>>>> { >>>>>>>>>> "alg": "RS256", >>>>>>>>>> "typ": "jwt", >>>>>>>>>> "kid": "ballerina" >>>>>>>>>> } >>>>>>>>>> payload >>>>>>>>>> { >>>>>>>>>> "sub": "generalUser1", >>>>>>>>>> "iss": "https://localhost:9443/oauth2/token", >>>>>>>>>> "exp": 1575620540, >>>>>>>>>> "iat": 1575619940, >>>>>>>>>> "jti": "bb38e533-e127-4991-95a2-7a383e634eba", >>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway", >>>>>>>>>> "apiKey": true >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> We highly appreciate your suggestions. Thank you. >>>>>>>>>> >>>>>>>>>> [1] https://github.com/wso2/product-microgateway/issues/897 >>>>>>>>>> -- >>>>>>>>>> *Amali Lakshika* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 >>>>>>>>>> 932 1861* >>>>>>>>>> >>>>>>>>>> *skype: amali.94d* >>>>>>>>>> >>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Harsha Kumara* >>>>>>>>> >>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>> Mobile: +94775505618 >>>>>>>>> Email: hars...@wso2.coim >>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Amali Lakshika* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>>> 1861* >>>>>>>> >>>>>>>> *skype: amali.94d* >>>>>>>> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Amali Lakshika* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>>> 1861* >>>>>>> >>>>>>> *skype: amali.94d* >>>>>>> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Amali Lakshika* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Software EngineerWSO2 Inc.: https://wso2.com >>>>>> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 >>>>>> 1861* >>>>>> >>>>>> *skype: amali.94d* >>>>>> >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> >>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>>>> Mobile : +94772338839 | fazl...@wso2.com >>>>> >>>>> >>>>> >>>> >>>> -- >>>> >>>> *Praminda Jayawardana* | Associate Technical Lead | WSO2 Inc. >>>> (m) +94 (0) 716 590918 | (e) prami...@wso2.com >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc >>> Mobile : +94772338839 | fazl...@wso2.com >>> >>> >>> >> >> -- >> *Amali Lakshika* >> >> >> >> >> *Software EngineerWSO2 Inc.: https://wso2.com >> <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* >> >> *skype: amali.94d* >> >> <http://wso2.com/signature> >> >> > > > -- > *Amali Lakshika* > > > > > *Software EngineerWSO2 Inc.: https://wso2.com > <http://wso2.com/>lean.enterprise.middle-waremobile: **+94 71 932 1861* > > *skype: amali.94d* > > <http://wso2.com/signature> > > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: hars...@wso2.coim Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture