Hi all, Microgateway 3.0.x versions support for opaque oauth2 token are tightly bound with APIM key manager component. Right now it validates token using the key validation service of APIM, which does the token validation, scope validation, subscription validation (and back end jwt generation if enabled).
We will need to provide a way to plug microgateway with an oauth2 server with standard introspect endpoint for token validation. Following limitations would incur due to the usage of standard introspection. 1. Subscription validation can not be enforced. 2. Rate limiting using application level throttling 3. Rate limiting using subscription level throttling 4. Completeness of analytics dashboard data These are the same limitations, we have when we use a self contains jwt token from a third party key manager(STS). The key manager configuration of the microgateway is below[1]. We can add an additional parameter[2] to specify to use an external key manager instead of the WSO2 key manager. Please share your thoughts regarding this. [1] - [keyManager] serverUrl="https://localhost:9443"; username="admin" // to connect with key validation admin service password="admin" tokenContext="oauth2" timestampSkew=5000 [2] - [keyManager] serverUrl="https://localhost:9443"; username="admin" // to connect with key validation admin service password="admin" tokenContext="oauth2" timestampSkew=5000 external = true -- *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. (m) +94-717-064-214 | (e) [email protected] <[email protected]> blog: http://www.rajithr.com <https://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
