On Thu, Jan 2, 2020 at 11:35 AM Rajith Roshan <[email protected]> wrote:
> Hi Harsha, > > We thought of adding the following configuration sections[1] to in order > to communicate with secured introspect endpoint. > Currently we will be supporting basic and oauth2 for the introspect > endpoints. > Under the oauth2 it will support following 3 types. > 1. Get a token with client credential grant in order to invoke introspect > endpoint > 2. Get a token with password grant in order to invoke introspect endpoint > 3. Providing the direct access token for the introspect endpoint. > Looks good! > > In all these scenarios if the refresh config is enabled, it should > automatically refresh the token when calling introspect endpoint. > > > [1] - > [keyManager] > serverUrl="https://localhost:9443"; > tokenContext="oauth2" > timestampSkew=5000 > external=false > [keymanager.security.basic] > enabled= true > username="admin" > password="admin" > [keymanager.security.oauth2] > enabled = false > tokenUrl = "" > [keymanager.security.oauth2.clientCredential] > enabled = false; > clientId = "" > clientSecret = "" > scopes = "" > [keymanager.security.oauth2.password] > enabled = false > clientId = "" > clientSecret = "" > scopes = "" > username= "" > password = "" > [keymanager.security.oauth2.directToken] > enabled = false > accessToken = "" > [keymanager.security.oauth2.refresh] > enabled = false > refreshUrl = "" > scopes = "" > refreshToken = "" > clientId = "" > clientSecret = "" > > On Tue, Dec 17, 2019 at 9:08 AM Rajith Roshan <[email protected]> wrote: > >> >> >> On Mon, Dec 16, 2019 at 9:37 PM Harsha Kumara <[email protected]> wrote: >> >>> >>> >>> On Mon, Dec 16, 2019 at 9:09 PM Rajith Roshan <[email protected]> wrote: >>> >>>> >>>> >>>> On Mon, Dec 16, 2019 at 7:57 PM Harsha Kumara <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Mon, Dec 16, 2019 at 7:01 PM Rajith Roshan <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> Microgateway 3.0.x versions support for opaque oauth2 token are >>>>>> tightly bound with APIM key manager component. Right now it validates >>>>>> token >>>>>> using the key validation service of APIM, which does the token >>>>>> validation, >>>>>> scope validation, subscription validation (and back end jwt generation if >>>>>> enabled). >>>>>> >>>>>> We will need to provide a way to plug microgateway with an oauth2 >>>>>> server with standard introspect endpoint for token validation. Following >>>>>> limitations would incur due to the usage of standard introspection. >>>>>> >>>>>> 1. Subscription validation can not be enforced. >>>>>> 2. Rate limiting using application level throttling >>>>>> 3. Rate limiting using subscription level throttling >>>>>> 4. Completeness of analytics dashboard data >>>>>> >>>>>> These are the same limitations, we have when we use a self >>>>>> contains jwt token from a third party key manager(STS). >>>>>> >>>>>> The key manager configuration of the microgateway is below[1]. We can >>>>>> add an additional parameter[2] to specify to use an external key manager >>>>>> instead of the WSO2 key manager. >>>>>> >>>>> Can we check the authentication section of RFC for the introspection >>>>> endpoint and allow flexibility to configure the possible authentication >>>>> mechanism. Basic authentication is basic. But some might use special >>>>> bearer >>>>> token or the clientId. Can we check[1] and provide the flexibility to use >>>>> standard authentication for introspection. >>>>> >>>> The idea here is to support the standard introspection for the token >>>> validation in the microgateway. When request comes to the microgateway with >>>> bearer header it will validate the token using the standard introspect >>>> endpoint. And also it will support wso2 key manager(APIM) token validation >>>> as well if external key managers are not used >>>> >>> Yes that's correct. The introspection API is protected with different >>> authentication mechanisms by different providers. Just wanted to check >>> whether there are any standard types such as protected with client Id and >>> etc and check on the feasibility of giving those options. >>> >> Yes, since the spec[1] does not explicitly explains the security >> mechanisms to protect intorspect endpoint, different vendors might be using >> different techniques, we need to come up with a common way to provide >> security credentials (user credentials, token and etc) , when using the >> introspect endpoint from the microgateway >> >>> >>>>> [1] >>>>> >>>>>> >>>>>> Please share your thoughts regarding this. >>>>>> >>>>>> [1] - [keyManager] >>>>>> serverUrl="https://localhost:9443"; >>>>>> username="admin" // to connect with key validation admin service >>>>>> password="admin" >>>>>> tokenContext="oauth2" >>>>>> timestampSkew=5000 >>>>>> >>>>>> [2] - [keyManager] >>>>>> serverUrl="https://localhost:9443"; >>>>>> username="admin" // to connect with key validation admin service >>>>>> password="admin" >>>>>> tokenContext="oauth2" >>>>>> timestampSkew=5000 >>>>>> external = true >>>>>> >>>>>> -- >>>>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. >>>>>> (m) +94-717-064-214 | (e) [email protected] <[email protected]> >>>>>> blog: http://www.rajithr.com >>>>>> >>>>>> <https://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. >>>> (m) +94-717-064-214 | (e) [email protected] <[email protected]> >>>> blog: http://www.rajithr.com >>>> >>>> <https://wso2.com/signature> >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. >> (m) +94-717-064-214 | (e) [email protected] <[email protected]> >> blog: http://www.rajithr.com >> >> <https://wso2.com/signature> >> > > > -- > *Rajith Roshan* | Associate Technical Lead | WSO2 Inc. > (m) +94-717-064-214 | (e) [email protected] <[email protected]> > blog: http://www.rajithr.com > > <https://wso2.com/signature> > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
