On Mon, Aug 3, 2015 at 6:28 PM, Senaka Fernando <sen...@wso2.com> wrote:
> Hi Nuwan, > > So I think then there are few things now. > > 1. First the docs need to be clear on what is done @ IS - your context > is far more clearer than what the docs actually explain. > 2. Also related to #1 above, the actual config needs some renaming I > guess, it doesn't fall into place. > 3. What if the KM is third party? Don't we have any JWT concept at > all? If we say no, we'd be loosing a massive portion of interoperability. > And, if so, there needs to be a config @ GW as well that says enable JWT > request and there needs to be an extension point for which we can generate > a JWT @ the GW level if the KM was 3rd party. > > IMO even if key manager is 3rd party we should generate JWT at key manager side. We use JWT to retrieve some additional information about user and user information usually available with key manager. In gateway side we should get JWT as a part of key validation response. Or as you said we can provide interface to extract JWT from validation response. So if key manager do not send JWT we can implement our own logic there. Thanks, sanjeewa. > So, I think the story has a few gaps as it stands now. WDYT? > Thanks, > Senaka. > > On Mon, Aug 3, 2015 at 1:49 PM, Nuwan Dias <nuw...@wso2.com> wrote: > >> Hi Senaka, >> >> Its not just about enabling/disabling JWT. We also have options of >> caching the JWT, specifying custom claims to be included in the JWT, >> extending the JWT generator implementation to include custom attributes, >> etc. All these are provided through the configuration on the KM since its >> the KM who actually would have access to user claims, application data, >> etc. The Gateway just passes whatever information generated by the KM as >> the JWT to the back-end. >> >> Thanks, >> NuwanD. >> >> >> >> On Mon, Aug 3, 2015 at 6:02 PM, Senaka Fernando <sen...@wso2.com> wrote: >> >>> Hi John, >>> >>> I think the IS sends back the JWT, but when you use IS as the key >>> manager, shouldn't it be the API-M that requests for the JWT from IS? And, >>> regardless of that the setting should be done at the API-M GW IMO, because >>> that's what creates the JWT and passes on to the ESB for instance. I think >>> it has to happen that way, especially with external KMs used and all. >>> Therefore, I think this setting should be done on the API-M GW-side (if I >>> understood correctly). >>> >>> AM team, what's your thoughts on this? >>> >>> Thanks, >>> Senaka. >>> >>> On Mon, Aug 3, 2015 at 11:47 AM, John Hawkins <jo...@wso2.com> wrote: >>> >>>> Hi Folks, >>>> >>>> I've just been following these instructions [1] to get the API-M >>>> talking to the Identity server. I am confused as to why I have set JWT on >>>> in the Identity servers api-manager.xml [2] and not just in the API-M? >>>> Isn't it the API-M sending JWT out rather than the IS ? Can someone explain >>>> to me what's going on under-the-hood please? >>>> >>>> >>>> [1] >>>> https://docs.wso2.com/display/CLUSTER420/Configuring+the+Pre-Packaged+Identity+Server+5.0.0+with+API+Manager+1.9.0 >>>> >>>> [2] Bullet 7: JWT configuration must be done in the >>>> <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. >>>> >>>> >>>> many thanks, >>>> John. >>>> >>>> >>>> >>>> John Hawkins >>>> Director: Solutions Architecture >>>> >>>> >>> >>> >>> -- >>> >>> >>> *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* >>> Solutions Architect; WSO2 Inc.; http://wso2.com >>> >>> >>> >>> *Member; Apache Software Foundation; http://apache.org >>> <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 >>> 408 754 7388 <%2B1%20408%20754%207388>; ext: 51736*; >>> >>> >>> *M: +44 782 741 1966 <%2B44%20782%20741%201966>Linked-In: >>> http://linkedin.com/in/senakafernando >>> <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Nuwan Dias >> >> Technical Lead - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> > > > > -- > > > *[image: http://wso2.com] <http://wso2.com>Senaka Fernando* > Solutions Architect; WSO2 Inc.; http://wso2.com > > > > *Member; Apache Software Foundation; http://apache.org > <http://apache.org>E-mail: senaka AT wso2.com <http://wso2.com>**P: +1 > 408 754 7388 <%2B1%20408%20754%207388>; ext: 51736*; > > > *M: +44 782 741 1966 <%2B44%20782%20741%201966>Linked-In: > http://linkedin.com/in/senakafernando > <http://linkedin.com/in/senakafernando>*Lean . Enterprise . Middleware > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
