Re: [Architecture] IS550: Oauth Role or XACML scope validation

[Farasath Ahamed]

On Friday, May 4, 2018, Vadim Kimlaychuk 
wrote:

> Dear architects,
>
>   I am trying to implement validation for OAuth tokens described here
> : https://docs.wso2.com/display/IS560/Validating+the+Scope+of+
> OAuth+Access+Tokens+using+XACML+Policies. Since this example failed for
> me I have tried to do similar with role validation described here:
> https://docs.wso2.com/display/IS560/Configuring+Access+
> Control+Policy+for+a+Service+Provider. When none of them worked I started
> to investigate logs of the server and saw that none of validation seems to
> happen. Should I write down some module/class and register it to make it
> work or configuration through UI should be enough?
>
>   My test scenario with IS 5.5.0 and curl is following:
>
>1. Registered SP Playground2 with OAuth2/OpenID connect configuration.
>"Authorization", "SaaS",  "Role based scope validator" and "XACML Scope
>Validator" options are enabled
>2.  curl -u : -k -d 
> "grant_type=password=user=user1"
>-H "Content-Type:application/x-www-form-urlencoded"
>https://localhost:9443/oauth2/token
> works and I got access token
>3. Created PAP from auth_role_based_policy where user "user" is
>"denied" because he is not in a role. Checked it with "Try" -- works
>4. Published to PDP
>5. tried curl to issue new token -- token issued as before. No
>restriction for the user
>
>   May be I am using it in a wrong way?
>
> Thanks in advance,
>
> Vadim
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] IS550: Oauth Role or XACML scope validation

[Vadim Kimlaychuk]

Dear architects,

  I am trying to implement validation for OAuth tokens described 
here : 
https://docs.wso2.com/display/IS560/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies. 
Since this example failed for me I have tried to do similar with role 
validation described here: 
https://docs.wso2.com/display/IS560/Configuring+Access+Control+Policy+for+a+Service+Provider. 
When none of them worked I started to investigate logs of the server and 
saw that none of validation seems to happen. Should I write down some 
module/class and register it to make it work or configuration through UI 
should be enough?


  My test scenario with IS 5.5.0 and curl is following:

1. Registered SP Playground2 with OAuth2/OpenID connect configuration.
   "Authorization", "SaaS",  "Role based scope validator" and "XACML
   Scope Validator" options are enabled
2.   curl -u : -k -d
   "grant_type=password=user=user1" -H
   "Content-Type:application/x-www-form-urlencoded"
   https://localhost:9443/oauth2/token works and I got access token
3. Created PAP from auth_role_based_policy where user "user" is
   "denied" because he is not in a role. Checked it with "Try" -- works
4. Published to PDP
5. tried curl to issue new token -- token issued as before. No
   restriction for the user

  May be I am using it in a wrong way?

Thanks in advance,

Vadim

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][API-Manager gateway] Attaching Labels for APIs

[Nuwan Dias]

I think it should be in the rxt as a field. Storing it as a property seems
like a hack to me. And yes, storing on a separate DB will cause
complications with queries since the rest of the data is in the rxt.

On Fri, May 4, 2018 at 5:45 PM, Malintha Amarasinghe 
wrote:

> Hi,
>
> On Fri, May 4, 2018 at 11:15 AM, Prasanna Dangalla 
> wrote:
>
>>
>> HI,
>>
>>
>>
>> On Fri, May 4, 2018 at 11:07 AM Chamin Dias  wrote:
>>
>>> On Fri, May 4, 2018 at 9:19 AM, Dinusha Dissanayake 
>>> wrote:
>>>

>
> AFAIU we are going to use labels when downloading a subset of APIs via
> Microgateway. If it is not mandatory to have the labels, how are we going
> to handle the APIs without labels in Microgateway? Are we not going to
> download the APIs without labels?
>
> As Sachini has mentioned above if a subset of APIs to be deployed in
 the micro gateway, it needs to have a label. Say if APIs have a default
 label called "def_label". Then if we call "setup def_label", all the APIs
 will be deployed in the micro gateway. Hence I do not think having a
 default label would add a significant value. Only the APIs needed to be
 deployed in the micro gateways will have labels AFAIR. (please correct me
 if I am wrong)

>>>
>>> Agree with Dinusha. As per the previous discussions
>>> 
>>> also this fact has been confirmed. Hence the business value of adding a
>>> default label would be minor IMHO.
>>>
>> Yes IMO too it not mandaory to add a default value to the label.
>>
>> We need to decide, how we are storing the label vales that are attched to
>> a specific label. There are three options as for the discussion had.
>>
>>- Store it as an API RXT filed value.
>>- Add the label as a property to the API reource
>>- Add the label to AM_DB
>>
>> All curent search queries we are running in registry(solr). If we use a
> seperate mapping in AM_DB, we might not be able to use multiple searches at
> the same time, eg: search APIs which have has label "Internal" status:
> "PUBLISHED" or "PROTOTYPED" since we do not keep status in the DB.
>
> So I think we need to go for option 1 or 2. WDYT?
>
> Can we store multivalued attributes in registry properties?
>
> Thanks!
> Malintha
>
>
>> Your thoughts on the above factor is hoghly appreciated.
>>
>> @Chamin: Can you share a digram of the floor that we discussed.
>>
>> Thanks
>> Prasanna
>>
>>
>>>

 Thanks,
 DinushaD.

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


>>>
>>>
>>> --
>>> Chamin Dias
>>> Mobile : 0716097455
>>> Email : cham...@wso2.com
>>> LinkedIn : https://www.linkedin.com/in/chamindias
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Malintha Amarasinghe
> *WSO2, Inc. - lean | enterprise | middleware*
> http://wso2.com/
>
> Mobile : +94 712383306
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Nuwan Dias

Software Architect - WSO2, Inc. http://wso2.com
email : nuw...@wso2.com
Phone : +94 777 775 729
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][API-Manager gateway] Attaching Labels for APIs

[Malintha Amarasinghe]

Hi,

On Fri, May 4, 2018 at 11:15 AM, Prasanna Dangalla 
wrote:

>
> HI,
>
>
>
> On Fri, May 4, 2018 at 11:07 AM Chamin Dias  wrote:
>
>> On Fri, May 4, 2018 at 9:19 AM, Dinusha Dissanayake 
>> wrote:
>>
>>>

 AFAIU we are going to use labels when downloading a subset of APIs via
 Microgateway. If it is not mandatory to have the labels, how are we going
 to handle the APIs without labels in Microgateway? Are we not going to
 download the APIs without labels?

 As Sachini has mentioned above if a subset of APIs to be deployed in
>>> the micro gateway, it needs to have a label. Say if APIs have a default
>>> label called "def_label". Then if we call "setup def_label", all the APIs
>>> will be deployed in the micro gateway. Hence I do not think having a
>>> default label would add a significant value. Only the APIs needed to be
>>> deployed in the micro gateways will have labels AFAIR. (please correct me
>>> if I am wrong)
>>>
>>
>> Agree with Dinusha. As per the previous discussions
>> 
>> also this fact has been confirmed. Hence the business value of adding a
>> default label would be minor IMHO.
>>
> Yes IMO too it not mandaory to add a default value to the label.
>
> We need to decide, how we are storing the label vales that are attched to
> a specific label. There are three options as for the discussion had.
>
>- Store it as an API RXT filed value.
>- Add the label as a property to the API reource
>- Add the label to AM_DB
>
> All curent search queries we are running in registry(solr). If we use a
seperate mapping in AM_DB, we might not be able to use multiple searches at
the same time, eg: search APIs which have has label "Internal" status:
"PUBLISHED" or "PROTOTYPED" since we do not keep status in the DB.

So I think we need to go for option 1 or 2. WDYT?

Can we store multivalued attributes in registry properties?

Thanks!
Malintha


> Your thoughts on the above factor is hoghly appreciated.
>
> @Chamin: Can you share a digram of the floor that we discussed.
>
> Thanks
> Prasanna
>
>
>>
>>>
>>> Thanks,
>>> DinushaD.
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Chamin Dias
>> Mobile : 0716097455
>> Email : cham...@wso2.com
>> LinkedIn : https://www.linkedin.com/in/chamindias
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Malintha Amarasinghe
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/

Mobile : +94 712383306
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] WSO2 API Manager 2.2.0-update4 Released!

[Harsha Kumara]

The WSO2 API Manager team is pleased to announce the release of version
2.2.0-update4 of API Manager.

WSO2 API Manager is a platform for creating, managing, consuming and
monitoring APIs. It employs proven SOA best practices to solve a wide range
of API management challenges such as API provisioning, API governance, API
security and API monitoring. It combines some of the most powerful and
mature components of the WSO2's state-of-the-art Carbon platform to deliver
a smooth and end-to-end API management experience while catering to both
API publisher and API consumer requirements.

WSO2 API Manager is comprised of several modules.

   - API Provider: Define new APIs and manage them
   - API Store: Browse published APIs and subscribe to them
   - API Gateway: The underlying API runtime based on WSO2 ESB
   - API Key Manager: Performs Key Generation and Key Validation
   functionalities
   - API Traffic Manager: Performs Rate Limiting of API Requests

For more information on WSO2 API Manager please visit http://wso2.com
/products/api-manager. Also, take a look at the online product documentation
.

Distributions
wso2am-2.2.0-update4.zip

ws02am-micro-gw-2.2.0-update2.zip


wso2am-analytics-2.2.0-update1.zip


How to Run

   1. Extract the downloaded zip
   2. Go to the bin directory in the extracted folder
   3. Run the wso2server.sh or wso2server.bat as appropriate
   4. Launch a web browser and navigate to https://localhost:9443/publisher to
   access the API publisher webapp
   5. Navigate to https://localhost:9443/store to access the API store
   6. Navigate to https://localhost:9443/admin to access Admin Portal
   7. Use "admin", "admin" as the username and password to login as an admin

Bug Fixes And Improvements in 2.2.0-update4

   - GitHub (Product-apim
   )

Known Issues

All the open issues pertaining to WSO2 API Manager are reported at the
following location:

   - GitHub (Product-apim
   
),
   (Carbon-apimgt
   
),
   (Analytics-apim
   )

How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly.

   -

   Developer List: d...@wso2.org | Subscribe | Mail Archive
   -

   User List: u...@wso2.org | Subscribe | Mail Archive

Reporting Issues

We encourage you to report issues, documentation faults, and feature
requests regarding WSO2 API Manager through the public API Manager Git Repo
.

-- The WSO2 API Manager Team --

-- 
Harsha Kumara
Software Engineer, WSO2 Inc.
Mobile: +94775505618
Blog:harshcreationz.blogspot.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS/APIM : support Mutual TLS Profile for OAuth 2.0 ?

[Sathya Bandara]

Hi Youcef,

Currently this feature supports client authentication using self-signed
certificates. You can refer the official documentation at [1].

[1]
https://docs.wso2.com/pages/viewpage.action?spaceKey=IS550=Mutual+TLS+for+OAuth+Clients

Thanks,
Sathya

On Fri, May 4, 2018 at 1:50 PM, Youcef HILEM 
wrote:

> Hi,
> Good news : I just found that it's implemented :
> [1] https://github.com/wso2/product-is/issues/2751
> [2]
> http://wso2-oxygen-tank.10903.n7.nabble.com/IS-5-5-0-TLS-
> Mutual-Authentication-for-OAuth-2-0-clients-td155448.html
> [3]
> https://medium.com/@technospace/mutual-tls-for-
> oauth-client-authentication-cdd595d4dcac
>
> I will see how to use it with APIM.
>
>
> Thanks
> Youcef HILEM
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Label feature for API-Manager gateway

[Krishan Wijesena]

Hi chamin,

On Thu, May 3, 2018 at 10:27 PM, Chamin Dias  wrote:

> Hi Krishan,
>
> On Thu, May 3, 2018 at 3:29 PM, Nuwan Dias  wrote:
>
>>
>>
>> On Thu, May 3, 2018 at 2:43 PM, Pubudu Gunatilaka 
>> wrote:
>>
>>> Hi Nuwan,
>>>
>>> On Thu, May 3, 2018 at 1:07 PM Nuwan Dias  wrote:
>>>


 On Thu, May 3, 2018 at 1:02 PM, Pubudu Gunatilaka 
 wrote:

> Hi Krishan
> On Thu, May 3, 2018 at 12:53 PM Harsha Kumara 
> wrote:
>
>>
>>
>> On Wed, May 2, 2018 at 6:26 PM, Krishan Wijesena 
>> wrote:
>>
>>> Hi All,
>>>
>>>
>>> Currently, I'm working on the Labeling feature for API Manager
>>> gateway. API Manager need to allows adding labels to the APIs in
>>> create/update phases from the publisher, so that labels help to grouping
>>> APIs into API manager gateway.
>>>
>>> If the user requests the particular label, then it provides the set
>>> of APIs that deploy in the same gateway.
>>>
>>> As initial phase, labels should be defined by the
>>> admin(Super/Tenant) using admin dashboard and the particular label 
>>> should
>>> have set of properties.
>>>
>>> To do that I need to introduce AM_LABEL table to the AM database to
>>> store the labels and it’s schema as follows.
>>>
>>> LABEL_ID is the primary key and (NAME & TENANT_ID) is Unique.
>>>
>>> Label should have separate Http and Https basepath.
>>>
>> What will be store in base path? Basically we can create labels and
>> assigned them to APIs.
>>
>
>>>
>>>
>>>
> We only need label_id and it can be a UUID value.
>
> HTTP/HTTPS base paths are wrong. This has to be the access urls of the
> gateway. For an exmaple we can have the label called Public and it can 
> have
> the following access urls.
>
> http://wso2.gw.com
> https://wso2.gw.com
>
>
> Have we analyzed the impact for import/export tool W.R.T these labels? Eg
> : How do we deal with these URLs when using the tool
>
   If user import the APIs, these URLs should be change according to the
environment and it should be handle in the API import time.

>
>
>> Additionally we need to add WebSocket endpoints as well. So we need to
> have 4 types of access urls in here.
>
> Are we not using the endpionts defined in APIGateway section here
> after or what is the strategy going forwar?
>

 This 'label' would only be used by the new Ballerina based microgateway
 we hope to introduce. Our current/old Gateway would still be exposed over
 the Endpoint defined in the APIGateway section of the api-manager.xml.

>
> Are we adding a default label for APIs when creating/publishing?
>

 Do we have a need to?

>>>
>>> This depends on how we get APIs from gatway. We can give a label to the
>>> gateway and get all the APIs with that label. If we don't specify a label
>>> in the gateway, we need to define how we treat here. We can get all the
>>> APIs with or without labels. Or else we can get only the APIs that do not
>>> have any label in the API.
>>>
>>> If we have in mind to introduce the labels to Store as well in the
>>> future, better to have a label type in the db. This is how we have done in
>>> APIM v3.
>>>
>>
>> I don't think we'll be able to introduce a Store label for APIM 2.x.
>> Since we're doing this feature for API Manager 2.x and since it has the
>> old/monolith Gateway which hosts all APIs anyway, I think its less
>> important for the need to have to deploy all APIs on a Microgateway. Which
>> lessens the need for a default label.
>>
>>>
>>> @Krishan Wijesena  : I think it is better to have a
>>> separate table for access urls. In the future, if we need to treat the
>>> protocol of the access urls, then having a separate table would  be easy.
>>> Also, without appending the API table to attach the label id of the API, we
>>> should have a separate table for API to label mapping. API can have
>>> multiple labels.
>>>
>>> Thank you!
>>> --
>>> *Pubudu Gunatilaka*
>>> Committer and PMC Member - Apache Stratos
>>> Senior Software Engineer
>>> WSO2, Inc.: http://wso2.com
>>> mobile : +94774078049
>>>
>>>
>>
>>
>> --
>> Nuwan Dias
>>
>> Software Architect - WSO2, Inc. http://wso2.com
>> email : nuw...@wso2.com
>> Phone : +94 777 775 729
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Chamin Dias
> Mobile : 0716097455
> Email : cham...@wso2.com
> LinkedIn : https://www.linkedin.com/in/chamindias
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

Re: [Architecture] WSO2 IS/APIM : support Mutual TLS Profile for OAuth 2.0 ?

[Youcef HILEM]

Hi,
Good news : I just found that it's implemented : 
[1] https://github.com/wso2/product-is/issues/2751
[2]
http://wso2-oxygen-tank.10903.n7.nabble.com/IS-5-5-0-TLS-Mutual-Authentication-for-OAuth-2-0-clients-td155448.html
[3]
https://medium.com/@technospace/mutual-tls-for-oauth-client-authentication-cdd595d4dcac

I will see how to use it with APIM.


Thanks
Youcef HILEM



--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture