@Dulanja Liyanage <[email protected]> @Ayoma Wijethunga <[email protected]> Appreciate your thoughts on this?
On Tue, Sep 10, 2019 at 4:37 PM Dumindu Kanchana <[email protected]> wrote: > > > On Tue, Sep 10, 2019 at 4:32 PM Dumindu Kanchana <[email protected]> > wrote: > >> Hi all, >> >> For the APIM-3.0.0 release, we are introducing a new feature "API Keys" >> [1] as a new application-level security option. >> >> We are using a JWT as the "API Key" which is going to be generated by the >> APIM Store. This JWT needs to sign from the Store when generated and we are >> performing the signature validation in the APIM Gateway when a API request >> present with a API Key. The certificate used for signature validation needs >> to be imported to the Gateway client-truststore.jks under a unique alias. >> >> The expected usage of the API Key is as a long-lasting valid token to >> consume API's. >> >> We have a concern that if we are to sign the JWT using the Store's >> primary keystore and if a user decides to change the keystore after some >> time, the API Keys (JWT's) which were already created will be invalid since >> the signature validation fails. >> >> How can we address this concern and support the continuous use of API >> Keys for a scenario like this? >> One suggested approach is to use the internal keystore only to sign the >> API Keys. Is it possible to use the internal keystore for signing at a >> situation like this? >> >> Your thoughts are highly appreciated on this. >> >> [1] Mail - "[APIM] [3.0] Introducing APIKeys for securing API's" >> >> Thanks, >> -- >> *Dumindu Kanchna* >> Software Engineer | WSO2 >> >> Email : [email protected] >> Mobile : +94766958493 >> Web : https://wso2.com >> >> <http://wso2.com/signature> >> > > > -- > *Dumindu Kanchna* > Software Engineer - Support | WSO2 > > Email : [email protected] > Mobile : +94766958493 > Web : https://wso2.com > > <http://wso2.com/signature> > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
