Re: [Architecture] [APIM] Multiple Key Manager support

[Ishara Cooray]

Hi Tharindu,
We have changed the rest API tagging convention in publisher and devportal
REST APIs since 3.0.0 to use a common tag without separating as Collection
and Individual.
Shall we use the same convention here?
So that all of these will fall under the Key Manager tag.

Regarding the new table definition, if there is no specific reason in
APIM_KEYMGT_MAPPING and APIM_KEY_MANAGER names I would prefer to use and AM
instead of APIM
WDYT?


Thanks & Regards,
Ishara Cooray
Associate Technical Lead
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware


On Thu, Apr 16, 2020 at 11:14 PM Tharindu Dharmarathna 
wrote:

> Hi All,
> Please find the database diagram on Implementation.
>
> [image: db diagram.png]
>
> let us know any feedback on this.
>
> Thanks & Regards
>
> On Thu, Apr 16, 2020 at 10:29 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi Farasath,
>>
>> The authentication on those endpoints depends on the implementation
>> implemented for the specific oauth provider, there will be configuration
>> key value elements will be asked from user to retrieve those details.
>>
>> On Thu, Apr 16, 2020 at 6:34 PM Farasath Ahamed 
>> wrote:
>>
>>>
>>>
>>> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna <
>>> tharin...@wso2.com> wrote:
>>>
 Hi All,

 We are going to implement Multiple Oauth provider support to WSO2 API
 Management. From this feature, dev portal users can create their Oauth
 Application on Pre-Defined OAuth providers.

 1. Tenant Admin Create Oauth Provider from the Admin portal by
 providing OAuth provider details.

- Client Registration endpoint
- Introspection Endpoint
- Scope Management Endpoint
- Token Endpoint
- Revoke Endpoint
- Endpoint Security Details
- Token Validation Regex.

 Just a suggestion, most OAuth/OIDC providers expose a .wellknown
>>> configuration endpoint that gives some of these endpoints. For example,
>>> https://accounts.google.com/.well-known/openid-configuration
>>> Maybe we can support populating the URLs from using that endpoint as
>>> well in addition to configuring manually.
>>>
>>> 2. Application developer creates the application defining the Oauth
 Provider type.
 3. Application developer Generates the keys from UI.

- Checks for the Consumer Key Generation can be done in the
Specific Oauth Provider.
-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
Application Details.

 4. Application Developer Retrieves the Application details from the UI.

- Check for the Oauth provider selected.
- Retrieve the Oauth App details from the Respective OAuth Provider
selected.

 5. Generating Oauth Token

- Token Generation call will directly proxy into the token endpoint
of Respective Oauth Provider.

 6. Validating the Token.

- Generated Token from Oauth Providers contains a specific change
related to the Token.
- Before validating the token we checking the Token was resided to
which Oauth provider by checking from the Token Validation Regex given.
- Token get validate from elected Oauth Provider and then retrieve
the information related to the Token.

 7. Delete the Application

- Oauth Application will remove from Respective Oauth Provider
assigned.


 I appreciate any thoughts and feedback on this.

>>>
>>> Also, some of the endpoints exposed by OAuth providers will be protected
>>> with different auth mechanisms. How do we plan to handle this?
>>>
>>>


 Thanks

 *Tharindu Dharmarathna*Technical Lead
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware
 mobile: *+94779109091*
 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

>>>
>>>
>>> --
>>> Farasath Ahamed
>>> Associate Technical Lead, WSO2 Inc.: http://wso2.com
>>> Mobile: +94777603866
>>> Blog: https://farasath.blogspot.com / https://medium.com/@farasath
>>> Twitter: @farazath619 
>>> 
>>>
>>>
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: *+94779109091*
>>
>
>
> --
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94779109091*
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi All,
Please find the database diagram on Implementation.

[image: db diagram.png]

let us know any feedback on this.

Thanks & Regards

On Thu, Apr 16, 2020 at 10:29 PM Tharindu Dharmarathna 
wrote:

> Hi Farasath,
>
> The authentication on those endpoints depends on the implementation
> implemented for the specific oauth provider, there will be configuration
> key value elements will be asked from user to retrieve those details.
>
> On Thu, Apr 16, 2020 at 6:34 PM Farasath Ahamed 
> wrote:
>
>>
>>
>> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna <
>> tharin...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> We are going to implement Multiple Oauth provider support to WSO2 API
>>> Management. From this feature, dev portal users can create their Oauth
>>> Application on Pre-Defined OAuth providers.
>>>
>>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>>> OAuth provider details.
>>>
>>>- Client Registration endpoint
>>>- Introspection Endpoint
>>>- Scope Management Endpoint
>>>- Token Endpoint
>>>- Revoke Endpoint
>>>- Endpoint Security Details
>>>- Token Validation Regex.
>>>
>>> Just a suggestion, most OAuth/OIDC providers expose a .wellknown
>> configuration endpoint that gives some of these endpoints. For example,
>> https://accounts.google.com/.well-known/openid-configuration
>> Maybe we can support populating the URLs from using that endpoint as well
>> in addition to configuring manually.
>>
>> 2. Application developer creates the application defining the Oauth
>>> Provider type.
>>> 3. Application developer Generates the keys from UI.
>>>
>>>- Checks for the Consumer Key Generation can be done in the Specific
>>>Oauth Provider.
>>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>>Application Details.
>>>
>>> 4. Application Developer Retrieves the Application details from the UI.
>>>
>>>- Check for the Oauth provider selected.
>>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>>selected.
>>>
>>> 5. Generating Oauth Token
>>>
>>>- Token Generation call will directly proxy into the token endpoint
>>>of Respective Oauth Provider.
>>>
>>> 6. Validating the Token.
>>>
>>>- Generated Token from Oauth Providers contains a specific change
>>>related to the Token.
>>>- Before validating the token we checking the Token was resided to
>>>which Oauth provider by checking from the Token Validation Regex given.
>>>- Token get validate from elected Oauth Provider and then retrieve
>>>the information related to the Token.
>>>
>>> 7. Delete the Application
>>>
>>>- Oauth Application will remove from Respective Oauth Provider
>>>assigned.
>>>
>>>
>>> I appreciate any thoughts and feedback on this.
>>>
>>
>> Also, some of the endpoints exposed by OAuth providers will be protected
>> with different auth mechanisms. How do we plan to handle this?
>>
>>
>>>
>>>
>>> Thanks
>>>
>>> *Tharindu Dharmarathna*Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>> mobile: *+94779109091*
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Associate Technical Lead, WSO2 Inc.: http://wso2.com
>> Mobile: +94777603866
>> Blog: https://farasath.blogspot.com / https://medium.com/@farasath
>> Twitter: @farazath619 
>> 
>>
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94779109091*
>


-- 

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi Farasath,

The authentication on those endpoints depends on the implementation
implemented for the specific oauth provider, there will be configuration
key value elements will be asked from user to retrieve those details.

On Thu, Apr 16, 2020 at 6:34 PM Farasath Ahamed  wrote:

>
>
> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi All,
>>
>> We are going to implement Multiple Oauth provider support to WSO2 API
>> Management. From this feature, dev portal users can create their Oauth
>> Application on Pre-Defined OAuth providers.
>>
>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>> OAuth provider details.
>>
>>- Client Registration endpoint
>>- Introspection Endpoint
>>- Scope Management Endpoint
>>- Token Endpoint
>>- Revoke Endpoint
>>- Endpoint Security Details
>>- Token Validation Regex.
>>
>> Just a suggestion, most OAuth/OIDC providers expose a .wellknown
> configuration endpoint that gives some of these endpoints. For example,
> https://accounts.google.com/.well-known/openid-configuration
> Maybe we can support populating the URLs from using that endpoint as well
> in addition to configuring manually.
>
> 2. Application developer creates the application defining the Oauth
>> Provider type.
>> 3. Application developer Generates the keys from UI.
>>
>>- Checks for the Consumer Key Generation can be done in the Specific
>>Oauth Provider.
>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>Application Details.
>>
>> 4. Application Developer Retrieves the Application details from the UI.
>>
>>- Check for the Oauth provider selected.
>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>selected.
>>
>> 5. Generating Oauth Token
>>
>>- Token Generation call will directly proxy into the token endpoint
>>of Respective Oauth Provider.
>>
>> 6. Validating the Token.
>>
>>- Generated Token from Oauth Providers contains a specific change
>>related to the Token.
>>- Before validating the token we checking the Token was resided to
>>which Oauth provider by checking from the Token Validation Regex given.
>>- Token get validate from elected Oauth Provider and then retrieve
>>the information related to the Token.
>>
>> 7. Delete the Application
>>
>>- Oauth Application will remove from Respective Oauth Provider
>>assigned.
>>
>>
>> I appreciate any thoughts and feedback on this.
>>
>
> Also, some of the endpoints exposed by OAuth providers will be protected
> with different auth mechanisms. How do we plan to handle this?
>
>
>>
>>
>> Thanks
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> mobile: *+94779109091*
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> Farasath Ahamed
> Associate Technical Lead, WSO2 Inc.: http://wso2.com
> Mobile: +94777603866
> Blog: https://farasath.blogspot.com / https://medium.com/@farasath
> Twitter: @farazath619 
> 
>
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Sanjeewa Malalgoda]

I checked this API definition and it looks good for me. Please check inline
comments.
However I believe this configuration won't be that simple when it comes to
real implementation. As an example we will think about basic auth secured
DCR, OAuth protected scope registration endpoint etc. We will need to
collect a lot more parameters. So we will be able to have key-values kind
of things for that.

On Thu, Apr 16, 2020 at 12:36 PM Tharindu Dharmarathna 
wrote:

> Hi All,
>
> Hi All,
>
> Please find the Admin Rest API model for Registering the Key Managers from
> Admin API.
>
> ##
> # The "Key Manager Collection" resource API
> ##
>   /key-managers:
>
> #-
> # Retrieve all key managers
> #-
> get:
>   x-scope: apim:admin_operations
>   summary: Get all Key managers
>   description: |
> Get all Key managers
>   tags:
> - Key Manager (Collection)
>   responses:
> 200:
>   description: |
> OK.
> KeyManagers returned
>   schema:
> $ref: '#/definitions/KeyManagerList'
>
> #-
> # Add a Key Manager
> #-
> post:
>   x-scope: apim:admin_operations
>   summary: Add a new API Key Manager
>   description: |
> Add a new API Key Manager
>   parameters:
> - in: body
>   name: body
>   description: |
> Key Manager object that should to be added
>   required: true
>   schema:
> $ref: '#/definitions/KeyManager'
>   tags:
> - Key Manager (Individual)
>   responses:
> 201:
>   description: |
> Created.
> Successful response with the newly created object as entity in
> the body.
>   schema:
> $ref: '#/definitions/KeyManager'
> 400:
>   description: |
> Bad Request.
> Invalid request or validation error
>   schema:
> $ref: '#/definitions/Error'
>
>   ##
>   # The "Individual KeyManager" resource APIs
>   ##
>
>   /key-managers/{keyManagerId}:
>
>   #-
>   # Update a Key Manager
>   #-
> put:
>   x-scope: apim:admin_operations
>   summary: Update a Key Manager
>   description: |
> Update a Key Manager by keyManager id
>   parameters:
> - $ref: '#/parameters/keyManagerId'
> - in: body
>   name: body
>   description: |
> Key Manager object with updated information
>   required: true
>   schema:
> $ref: '#/definitions/KeyManager'
>   tags:
> - Key Manager (Individual)
>   responses:
> 200:
>   description: |
> OK.
> Label updated.
>   schema:
> $ref: '#/definitions/KeyManager'
> 400:
>   description: |
> Bad Request.
> Invalid request or validation error.
>   schema:
> $ref: '#/definitions/Error'
> 404:
>   description: |
> Not Found.
> The resource to be updated does not exist.
>   schema:
> $ref: '#/definitions/Error'
>   #-
>   # Delete a Key Manager
>   #-
> delete:
>   x-scope: apim:admin_operations
>   summary: Delete a Key Manager
>   description: |
> Delete a Key Manager by keyManager id
>   parameters:
> - $ref: '#/parameters/keyManagerId'
> - $ref: '#/parameters/If-Match'
> - $ref: '#/parameters/If-Unmodified-Since'
>
Do we need If-Match etc here?

>   tags:
> - Key Manager (Individual)
>   responses:
> 200:
>   description: |
> OK.
> Key Manager successfully deleted.
> 404:
>   description: |
> Not Found.
> Key Manager to be deleted does not exist.
>   schema:
> $ref: '#/definitions/Error'
>
>   #-
>   # The KeyManager resource
>   #-
>   KeyManager:
> title: Key Manager
> required:
> - name
> - type
> properties:
>   id:
> type: string
> example: "01234567-0123-0123-0123-012345678901"
>   name:
> type: string
> example: "WSO2 IS"
>   type:
> type: string
>  

Re: [Architecture] [APIM] Multiple Key Manager support

[Farasath Ahamed]

On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna 
wrote:

> Hi All,
>
> We are going to implement Multiple Oauth provider support to WSO2 API
> Management. From this feature, dev portal users can create their Oauth
> Application on Pre-Defined OAuth providers.
>
> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
> OAuth provider details.
>
>- Client Registration endpoint
>- Introspection Endpoint
>- Scope Management Endpoint
>- Token Endpoint
>- Revoke Endpoint
>- Endpoint Security Details
>- Token Validation Regex.
>
> Just a suggestion, most OAuth/OIDC providers expose a .wellknown
configuration endpoint that gives some of these endpoints. For example,
https://accounts.google.com/.well-known/openid-configuration
Maybe we can support populating the URLs from using that endpoint as well
in addition to configuring manually.

2. Application developer creates the application defining the Oauth
> Provider type.
> 3. Application developer Generates the keys from UI.
>
>- Checks for the Consumer Key Generation can be done in the Specific
>Oauth Provider.
>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>Application Details.
>
> 4. Application Developer Retrieves the Application details from the UI.
>
>- Check for the Oauth provider selected.
>- Retrieve the Oauth App details from the Respective OAuth Provider
>selected.
>
> 5. Generating Oauth Token
>
>- Token Generation call will directly proxy into the token endpoint of
>Respective Oauth Provider.
>
> 6. Validating the Token.
>
>- Generated Token from Oauth Providers contains a specific change
>related to the Token.
>- Before validating the token we checking the Token was resided to
>which Oauth provider by checking from the Token Validation Regex given.
>- Token get validate from elected Oauth Provider and then retrieve the
>information related to the Token.
>
> 7. Delete the Application
>
>- Oauth Application will remove from Respective Oauth Provider
>assigned.
>
>
> I appreciate any thoughts and feedback on this.
>

Also, some of the endpoints exposed by OAuth providers will be protected
with different auth mechanisms. How do we plan to handle this?


>
>
> Thanks
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> mobile: *+94779109091*
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Farasath Ahamed
Associate Technical Lead, WSO2 Inc.: http://wso2.com
Mobile: +94777603866
Blog: https://farasath.blogspot.com / https://medium.com/@farasath
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi All,

Hi All,

Please find the Admin Rest API model for Registering the Key Managers from
Admin API.

##
# The "Key Manager Collection" resource API
##
  /key-managers:

#-
# Retrieve all key managers
#-
get:
  x-scope: apim:admin_operations
  summary: Get all Key managers
  description: |
Get all Key managers
  tags:
- Key Manager (Collection)
  responses:
200:
  description: |
OK.
KeyManagers returned
  schema:
$ref: '#/definitions/KeyManagerList'

#-
# Add a Key Manager
#-
post:
  x-scope: apim:admin_operations
  summary: Add a new API Key Manager
  description: |
Add a new API Key Manager
  parameters:
- in: body
  name: body
  description: |
Key Manager object that should to be added
  required: true
  schema:
$ref: '#/definitions/KeyManager'
  tags:
- Key Manager (Individual)
  responses:
201:
  description: |
Created.
Successful response with the newly created object as entity in
the body.
  schema:
$ref: '#/definitions/KeyManager'
400:
  description: |
Bad Request.
Invalid request or validation error
  schema:
$ref: '#/definitions/Error'

  ##
  # The "Individual KeyManager" resource APIs
  ##

  /key-managers/{keyManagerId}:

  #-
  # Update a Key Manager
  #-
put:
  x-scope: apim:admin_operations
  summary: Update a Key Manager
  description: |
Update a Key Manager by keyManager id
  parameters:
- $ref: '#/parameters/keyManagerId'
- in: body
  name: body
  description: |
Key Manager object with updated information
  required: true
  schema:
$ref: '#/definitions/KeyManager'
  tags:
- Key Manager (Individual)
  responses:
200:
  description: |
OK.
Label updated.
  schema:
$ref: '#/definitions/KeyManager'
400:
  description: |
Bad Request.
Invalid request or validation error.
  schema:
$ref: '#/definitions/Error'
404:
  description: |
Not Found.
The resource to be updated does not exist.
  schema:
$ref: '#/definitions/Error'
  #-
  # Delete a Key Manager
  #-
delete:
  x-scope: apim:admin_operations
  summary: Delete a Key Manager
  description: |
Delete a Key Manager by keyManager id
  parameters:
- $ref: '#/parameters/keyManagerId'
- $ref: '#/parameters/If-Match'
- $ref: '#/parameters/If-Unmodified-Since'
  tags:
- Key Manager (Individual)
  responses:
200:
  description: |
OK.
Key Manager successfully deleted.
404:
  description: |
Not Found.
Key Manager to be deleted does not exist.
  schema:
$ref: '#/definitions/Error'

  #-
  # The KeyManager resource
  #-
  KeyManager:
title: Key Manager
required:
- name
- type
properties:
  id:
type: string
example: "01234567-0123-0123-0123-012345678901"
  name:
type: string
example: "WSO2 IS"
  type:
type: string
example: "IS"
  description:
type: string
example: "This is a key manager for Developers"
  introspection_endpoint:
type: string
example: ""
  dynamic_client_registration_endpoint:
type: string
example: ""
  token_endpoint:
type: string
example: ""
  scope_management_endpoint:
type: string
example: ""
  available_grant_types:
type: array
items:
  type: string
  example: "client_credentials"
  enabled:
type: boolean
example: true
  additionalProperties:
type: object


  #-
  # The KeyManager List resource
  #-

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi Amila,

Please find my comments below.

On Wed, Apr 15, 2020 at 4:03 PM Amila De Silva  wrote:

> Hi Tharindu,
>
> On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi All,
>>
>> We are going to implement Multiple Oauth provider support to WSO2 API
>> Management. From this feature, dev portal users can create their Oauth
>> Application on Pre-Defined OAuth providers.
>>
>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>> OAuth provider details.
>>
>>- Client Registration endpoint
>>- Introspection Endpoint
>>- Scope Management Endpoint
>>- Token Endpoint
>>- Revoke Endpoint
>>- Endpoint Security Details
>>- Token Validation Regex.
>>
>> Isn't Scope Management a custom endpoint? Is it that we are only
> specifying it when connecting with IS?
>
> Some of the Oauth Provider have their own Scope Management Endpoint that
can use.


> 2. Application developer creates the application defining the Oauth
>> Provider type.
>> 3. Application developer Generates the keys from UI.
>>
>>- Checks for the Consumer Key Generation can be done in the Specific
>>Oauth Provider.
>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>Application Details.
>>
>> 4. Application Developer Retrieves the Application details from the UI.
>>
>>- Check for the Oauth provider selected.
>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>selected.
>>
>> 5. Generating Oauth Token
>>
>>- Token Generation call will directly proxy into the token endpoint
>>of Respective Oauth Provider.
>>
>> Wondering if App Developers will use this at all. Isn't the more likely
> case to get the token directly from an OAuth provider? In case we support
> this, how about making this configurable (so Tenant Admin can decide
> whether or not to proxy the request). Currently the Token endpoint is a
> passthrough, but with this some changes will be needed to find the OAuth
> provider from CK. Most probably this would include making a service call
> from the GW. If it's likely to make unnecessary burden on the KM nodes,
> better to provide an option to disable it.
>

We will not go to proxy the Request Through Gateway. This will show what
will be the endpoint shows in the UI to use.

>
>
>> 6. Validating the Token.
>>
>>- Generated Token from Oauth Providers contains a specific change
>>related to the Token.
>>
>> So two OAuth providers can co-exist (within a single tenant space) if
> their issued tokens can be separated by some property - Is this the case?
>

This can be the Token length, Token prefix, etc from the Token Management.

>
>>- Before validating the token we checking the Token was resided to
>>which Oauth provider by checking from the Token Validation Regex given.
>>- Token get validate from elected Oauth Provider and then retrieve
>>the information related to the Token.
>>
>> 7. Delete the Application
>>
>>- Oauth Application will remove from Respective Oauth Provider
>>assigned.
>>
>>
>> I appreciate any thoughts and feedback on this.
>>
>
> Are we only supporting this for subscriptions within the same tenant?
>
>>
>> We will not be able to handle this feature in cross tenant since we
couldn't identify the tenant of the token before going to validate it.


>
>> Thanks
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> mobile: *+94779109091*
>>
>
>
> --
> *Amila De Silva*
> Software Architect | Associate Director, Engineering - WSO2 Inc.
> (m) +94 775119302 | (e) ami...@wso2.com
> 
>


Thanks

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Sanjeewa Malalgoda]

Like Amila asked can there be multiple OAuth providers for the same tenant
space?
If that is the case then application developer has control over selecting
which provider need to use?
Some of the default implementations need to go with products I believe.

Thanks,
sanjeewa.

On Wed, Apr 15, 2020 at 4:03 PM Amila De Silva  wrote:

> Hi Tharindu,
>
> On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi All,
>>
>> We are going to implement Multiple Oauth provider support to WSO2 API
>> Management. From this feature, dev portal users can create their Oauth
>> Application on Pre-Defined OAuth providers.
>>
>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>> OAuth provider details.
>>
>>- Client Registration endpoint
>>- Introspection Endpoint
>>- Scope Management Endpoint
>>- Token Endpoint
>>- Revoke Endpoint
>>- Endpoint Security Details
>>- Token Validation Regex.
>>
>> Isn't Scope Management a custom endpoint? Is it that we are only
> specifying it when connecting with IS?
>
> 2. Application developer creates the application defining the Oauth
>> Provider type.
>> 3. Application developer Generates the keys from UI.
>>
>>- Checks for the Consumer Key Generation can be done in the Specific
>>Oauth Provider.
>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>Application Details.
>>
>> 4. Application Developer Retrieves the Application details from the UI.
>>
>>- Check for the Oauth provider selected.
>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>selected.
>>
>> 5. Generating Oauth Token
>>
>>- Token Generation call will directly proxy into the token endpoint
>>of Respective Oauth Provider.
>>
>> Wondering if App Developers will use this at all. Isn't the more likely
> case to get the token directly from an OAuth provider? In case we support
> this, how about making this configurable (so Tenant Admin can decide
> whether or not to proxy the request). Currently the Token endpoint is a
> passthrough, but with this some changes will be needed to find the OAuth
> provider from CK. Most probably this would include making a service call
> from the GW. If it's likely to make unnecessary burden on the KM nodes,
> better to provide an option to disable it.
>
>
>> 6. Validating the Token.
>>
>>- Generated Token from Oauth Providers contains a specific change
>>related to the Token.
>>
>> So two OAuth providers can co-exist (within a single tenant space) if
> their issued tokens can be separated by some property - Is this the case?
>
>>
>>- Before validating the token we checking the Token was resided to
>>which Oauth provider by checking from the Token Validation Regex given.
>>- Token get validate from elected Oauth Provider and then retrieve
>>the information related to the Token.
>>
>> 7. Delete the Application
>>
>>- Oauth Application will remove from Respective Oauth Provider
>>assigned.
>>
>>
>> I appreciate any thoughts and feedback on this.
>>
>
> Are we only supporting this for subscriptions within the same tenant?
>
>>
>>
>> Thanks
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> mobile: *+94779109091*
>>
>
>
> --
> *Amila De Silva*
> Software Architect | Associate Director, Engineering - WSO2 Inc.
> (m) +94 775119302 | (e) ami...@wso2.com
> 
>


-- 
*Sanjeewa Malalgoda*
Software Architect | Associate Director, Engineering - WSO2 Inc.
(m) +94 712933253 | (e) sanje...@wso2.com | (b) Blogger
, Medium


GET INTEGRATION AGILE 
Integration Agility for Digitally Driven Business
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Amila De Silva]

Hi Tharindu,

On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna 
wrote:

> Hi All,
>
> We are going to implement Multiple Oauth provider support to WSO2 API
> Management. From this feature, dev portal users can create their Oauth
> Application on Pre-Defined OAuth providers.
>
> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
> OAuth provider details.
>
>- Client Registration endpoint
>- Introspection Endpoint
>- Scope Management Endpoint
>- Token Endpoint
>- Revoke Endpoint
>- Endpoint Security Details
>- Token Validation Regex.
>
> Isn't Scope Management a custom endpoint? Is it that we are only
specifying it when connecting with IS?

2. Application developer creates the application defining the Oauth
> Provider type.
> 3. Application developer Generates the keys from UI.
>
>- Checks for the Consumer Key Generation can be done in the Specific
>Oauth Provider.
>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>Application Details.
>
> 4. Application Developer Retrieves the Application details from the UI.
>
>- Check for the Oauth provider selected.
>- Retrieve the Oauth App details from the Respective OAuth Provider
>selected.
>
> 5. Generating Oauth Token
>
>- Token Generation call will directly proxy into the token endpoint of
>Respective Oauth Provider.
>
> Wondering if App Developers will use this at all. Isn't the more likely
case to get the token directly from an OAuth provider? In case we support
this, how about making this configurable (so Tenant Admin can decide
whether or not to proxy the request). Currently the Token endpoint is a
passthrough, but with this some changes will be needed to find the OAuth
provider from CK. Most probably this would include making a service call
from the GW. If it's likely to make unnecessary burden on the KM nodes,
better to provide an option to disable it.


> 6. Validating the Token.
>
>- Generated Token from Oauth Providers contains a specific change
>related to the Token.
>
> So two OAuth providers can co-exist (within a single tenant space) if
their issued tokens can be separated by some property - Is this the case?

>
>- Before validating the token we checking the Token was resided to
>which Oauth provider by checking from the Token Validation Regex given.
>- Token get validate from elected Oauth Provider and then retrieve the
>information related to the Token.
>
> 7. Delete the Application
>
>- Oauth Application will remove from Respective Oauth Provider
>assigned.
>
>
> I appreciate any thoughts and feedback on this.
>

Are we only supporting this for subscriptions within the same tenant?

>
>
> Thanks
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> mobile: *+94779109091*
>


-- 
*Amila De Silva*
Software Architect | Associate Director, Engineering - WSO2 Inc.
(m) +94 775119302 | (e) ami...@wso2.com

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi Bhathiya,

The above thing we will do beforehand the key manager implementation gets
invoked.  Therefore there was no issue with having different oauth
providers.

Thanks

On Wed, Apr 15, 2020 at 3:05 PM Bhathiya Jayasekara 
wrote:

>
>
> On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi All,
>>
>> We are going to implement Multiple Oauth provider support to WSO2 API
>> Management. From this feature, dev portal users can create their Oauth
>> Application on Pre-Defined OAuth providers.
>>
>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>> OAuth provider details.
>>
>>- Client Registration endpoint
>>- Introspection Endpoint
>>- Scope Management Endpoint
>>- Token Endpoint
>>- Revoke Endpoint
>>- Endpoint Security Details
>>- Token Validation Regex.
>>
>> I hope we will have extension points for all these cases as request
> bodies can be different from each oauth2 provider. (to support custom
> provider which we do not support ootb) yes?
>
> Thanks,
> Bhathiya
>
>
>> 2. Application developer creates the application defining the Oauth
>> Provider type.
>> 3. Application developer Generates the keys from UI.
>>
>>- Checks for the Consumer Key Generation can be done in the Specific
>>Oauth Provider.
>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>Application Details.
>>
>> 4. Application Developer Retrieves the Application details from the UI.
>>
>>- Check for the Oauth provider selected.
>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>selected.
>>
>> 5. Generating Oauth Token
>>
>>- Token Generation call will directly proxy into the token endpoint
>>of Respective Oauth Provider.
>>
>> 6. Validating the Token.
>>
>>- Generated Token from Oauth Providers contains a specific change
>>related to the Token.
>>- Before validating the token we checking the Token was resided to
>>which Oauth provider by checking from the Token Validation Regex given.
>>- Token get validate from elected Oauth Provider and then retrieve
>>the information related to the Token.
>>
>> 7. Delete the Application
>>
>>- Oauth Application will remove from Respective Oauth Provider
>>assigned.
>>
>>
>> I appreciate any thoughts and feedback on this.
>>
>>
>> Thanks
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> mobile: *+94779109091*
>>
>
>
> --
> *Bhathiya Jayasekara* | Senior Technical Lead | WSO2 Inc.
> (m) +94 71 547 8185  | (e) bhathiya-@t-wso2-d0t-com
>
>
>

-- 

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi Ishara,
Since APIM we only keep a reference to consumer key of oauth app this might
be able to do if they can create the oauth app from pre-defined consumer
key and secret.

Thanks


On Wed, Apr 15, 2020 at 12:55 PM Ishara Cooray  wrote:

> Hi Tharindu,
>
> With this feature, will it also support changing the OAuth provider for an
> existing app without changing subscriptions, etc?
> If one needs to change their OAuth provider in the future this will help.
>
> Thanks & Regards,
> Ishara Cooray
> Associate Technical Lead
> Mobile : +9477 262 9512
> WSO2, Inc. | http://wso2.com/
>
>
>
> On Wed, Apr 15, 2020 at 9:32 AM Tharindu Dharmarathna 
> wrote:
>
>> Hi Gayan,
>> For Self containing access tokens it already has the OOTB capability to
>> validate the token from different token issuers. the Key Management layer
>> will only use to validate the Reference tokens.
>>
>> To prefix, the token Generated from Identity providers, they have their
>> own ways of differentiating the token, in Simple case, we will use the
>> Regex validation and for other cases. they could write their own validation.
>>
>> Thanks
>>
>> On Tue, Apr 14, 2020 at 11:17 PM gayan gunawardana <
>> gmgunaward...@gmail.com> wrote:
>>
>>> Hi Tharindu,
>>>
>>> In #6 Validating the Token, regex validation may work for
>>> reference access tokens to find corresponding Oauth provider but can we
>>> utilize regex validation for self-contained access tokens. Is it possible
>>> mediate token generation and append specific prefix to identify Oauth
>>> provider or else add mapping to a database table ?
>>>
>>> Thanks,
>>> Gayan
>>>
>>> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna <
>>> tharin...@wso2.com> wrote:
>>>
 Hi All,

 We are going to implement Multiple Oauth provider support to WSO2 API
 Management. From this feature, dev portal users can create their Oauth
 Application on Pre-Defined OAuth providers.

 1. Tenant Admin Create Oauth Provider from the Admin portal by
 providing OAuth provider details.

- Client Registration endpoint
- Introspection Endpoint
- Scope Management Endpoint
- Token Endpoint
- Revoke Endpoint
- Endpoint Security Details
- Token Validation Regex.

 2. Application developer creates the application defining the Oauth
 Provider type.
 3. Application developer Generates the keys from UI.

- Checks for the Consumer Key Generation can be done in the
Specific Oauth Provider.
-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
Application Details.

 4. Application Developer Retrieves the Application details from the UI.

- Check for the Oauth provider selected.
- Retrieve the Oauth App details from the Respective OAuth Provider
selected.

 5. Generating Oauth Token

- Token Generation call will directly proxy into the token endpoint
of Respective Oauth Provider.

 6. Validating the Token.

- Generated Token from Oauth Providers contains a specific change
related to the Token.
- Before validating the token we checking the Token was resided to
which Oauth provider by checking from the Token Validation Regex given.
- Token get validate from elected Oauth Provider and then retrieve
the information related to the Token.

 7. Delete the Application

- Oauth Application will remove from Respective Oauth Provider
assigned.


 I appreciate any thoughts and feedback on this.


 Thanks

 *Tharindu Dharmarathna*Technical Lead
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware
 mobile: *+94779109091*
 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

>>>
>>>
>>> --
>>> Gayan
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: *+94779109091*
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>

-- 

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Bhathiya Jayasekara]

On Tue, Apr 14, 2020 at 10:12 PM Tharindu Dharmarathna 
wrote:

> Hi All,
>
> We are going to implement Multiple Oauth provider support to WSO2 API
> Management. From this feature, dev portal users can create their Oauth
> Application on Pre-Defined OAuth providers.
>
> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
> OAuth provider details.
>
>- Client Registration endpoint
>- Introspection Endpoint
>- Scope Management Endpoint
>- Token Endpoint
>- Revoke Endpoint
>- Endpoint Security Details
>- Token Validation Regex.
>
> I hope we will have extension points for all these cases as request bodies
can be different from each oauth2 provider. (to support custom provider
which we do not support ootb) yes?

Thanks,
Bhathiya


> 2. Application developer creates the application defining the Oauth
> Provider type.
> 3. Application developer Generates the keys from UI.
>
>- Checks for the Consumer Key Generation can be done in the Specific
>Oauth Provider.
>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>Application Details.
>
> 4. Application Developer Retrieves the Application details from the UI.
>
>- Check for the Oauth provider selected.
>- Retrieve the Oauth App details from the Respective OAuth Provider
>selected.
>
> 5. Generating Oauth Token
>
>- Token Generation call will directly proxy into the token endpoint of
>Respective Oauth Provider.
>
> 6. Validating the Token.
>
>- Generated Token from Oauth Providers contains a specific change
>related to the Token.
>- Before validating the token we checking the Token was resided to
>which Oauth provider by checking from the Token Validation Regex given.
>- Token get validate from elected Oauth Provider and then retrieve the
>information related to the Token.
>
> 7. Delete the Application
>
>- Oauth Application will remove from Respective Oauth Provider
>assigned.
>
>
> I appreciate any thoughts and feedback on this.
>
>
> Thanks
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> mobile: *+94779109091*
>


-- 
*Bhathiya Jayasekara* | Senior Technical Lead | WSO2 Inc.
(m) +94 71 547 8185  | (e) bhathiya-@t-wso2-d0t-com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Ishara Cooray]

Hi Tharindu,

With this feature, will it also support changing the OAuth provider for an
existing app without changing subscriptions, etc?
If one needs to change their OAuth provider in the future this will help.

Thanks & Regards,
Ishara Cooray
Associate Technical Lead
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/



On Wed, Apr 15, 2020 at 9:32 AM Tharindu Dharmarathna 
wrote:

> Hi Gayan,
> For Self containing access tokens it already has the OOTB capability to
> validate the token from different token issuers. the Key Management layer
> will only use to validate the Reference tokens.
>
> To prefix, the token Generated from Identity providers, they have their
> own ways of differentiating the token, in Simple case, we will use the
> Regex validation and for other cases. they could write their own validation.
>
> Thanks
>
> On Tue, Apr 14, 2020 at 11:17 PM gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Tharindu,
>>
>> In #6 Validating the Token, regex validation may work for
>> reference access tokens to find corresponding Oauth provider but can we
>> utilize regex validation for self-contained access tokens. Is it possible
>> mediate token generation and append specific prefix to identify Oauth
>> provider or else add mapping to a database table ?
>>
>> Thanks,
>> Gayan
>>
>> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna <
>> tharin...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> We are going to implement Multiple Oauth provider support to WSO2 API
>>> Management. From this feature, dev portal users can create their Oauth
>>> Application on Pre-Defined OAuth providers.
>>>
>>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>>> OAuth provider details.
>>>
>>>- Client Registration endpoint
>>>- Introspection Endpoint
>>>- Scope Management Endpoint
>>>- Token Endpoint
>>>- Revoke Endpoint
>>>- Endpoint Security Details
>>>- Token Validation Regex.
>>>
>>> 2. Application developer creates the application defining the Oauth
>>> Provider type.
>>> 3. Application developer Generates the keys from UI.
>>>
>>>- Checks for the Consumer Key Generation can be done in the Specific
>>>Oauth Provider.
>>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>>Application Details.
>>>
>>> 4. Application Developer Retrieves the Application details from the UI.
>>>
>>>- Check for the Oauth provider selected.
>>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>>selected.
>>>
>>> 5. Generating Oauth Token
>>>
>>>- Token Generation call will directly proxy into the token endpoint
>>>of Respective Oauth Provider.
>>>
>>> 6. Validating the Token.
>>>
>>>- Generated Token from Oauth Providers contains a specific change
>>>related to the Token.
>>>- Before validating the token we checking the Token was resided to
>>>which Oauth provider by checking from the Token Validation Regex given.
>>>- Token get validate from elected Oauth Provider and then retrieve
>>>the information related to the Token.
>>>
>>> 7. Delete the Application
>>>
>>>- Oauth Application will remove from Respective Oauth Provider
>>>assigned.
>>>
>>>
>>> I appreciate any thoughts and feedback on this.
>>>
>>>
>>> Thanks
>>>
>>> *Tharindu Dharmarathna*Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>> mobile: *+94779109091*
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> Gayan
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94779109091*
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[gayan gunawardana]

Hi Tharindu,
On Wed, Apr 15, 2020 at 9:32 AM Tharindu Dharmarathna 
wrote:

> Hi Gayan,
> For Self containing access tokens it already has the OOTB capability to
> validate the token from different token issuers. the Key Management layer
> will only use to validate the Reference tokens.
>
Thanks for the explanation.

>
> To prefix, the token Generated from Identity providers, they have their
> own ways of differentiating the token, in Simple case, we will use the
> Regex validation and for other cases. they could write their own validation.
>
Are there any other options available to avoid Regex validation. Regex
validation may introduce few problems
1. Humans are not tend to use Regular expressions. EX: Even for password
policy definitions people more like to go with simple definitions like min
length, max length than Regex.
2. Pattern matching is a CPU intensive task and might introduce some
security vulnerabilities as well.
3. For same set of words different people can come up with
different Regular expressions.
Also having flexibility to write own validation might introduce some open
ended problems for simple requirement.

>
> Thanks
>
> On Tue, Apr 14, 2020 at 11:17 PM gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Tharindu,
>>
>> In #6 Validating the Token, regex validation may work for
>> reference access tokens to find corresponding Oauth provider but can we
>> utilize regex validation for self-contained access tokens. Is it possible
>> mediate token generation and append specific prefix to identify Oauth
>> provider or else add mapping to a database table ?
>>
>> Thanks,
>> Gayan
>>
>> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna <
>> tharin...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> We are going to implement Multiple Oauth provider support to WSO2 API
>>> Management. From this feature, dev portal users can create their Oauth
>>> Application on Pre-Defined OAuth providers.
>>>
>>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>>> OAuth provider details.
>>>
>>>- Client Registration endpoint
>>>- Introspection Endpoint
>>>- Scope Management Endpoint
>>>- Token Endpoint
>>>- Revoke Endpoint
>>>- Endpoint Security Details
>>>- Token Validation Regex.
>>>
>>> 2. Application developer creates the application defining the Oauth
>>> Provider type.
>>> 3. Application developer Generates the keys from UI.
>>>
>>>- Checks for the Consumer Key Generation can be done in the Specific
>>>Oauth Provider.
>>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>>Application Details.
>>>
>>> 4. Application Developer Retrieves the Application details from the UI.
>>>
>>>- Check for the Oauth provider selected.
>>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>>selected.
>>>
>>> 5. Generating Oauth Token
>>>
>>>- Token Generation call will directly proxy into the token endpoint
>>>of Respective Oauth Provider.
>>>
>>> 6. Validating the Token.
>>>
>>>- Generated Token from Oauth Providers contains a specific change
>>>related to the Token.
>>>- Before validating the token we checking the Token was resided to
>>>which Oauth provider by checking from the Token Validation Regex given.
>>>- Token get validate from elected Oauth Provider and then retrieve
>>>the information related to the Token.
>>>
>>> 7. Delete the Application
>>>
>>>- Oauth Application will remove from Respective Oauth Provider
>>>assigned.
>>>
>>>
>>> I appreciate any thoughts and feedback on this.
>>>
>>>
>>> Thanks
>>>
>>> *Tharindu Dharmarathna*Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>> mobile: *+94779109091*
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> Gayan
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94779109091*
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Gayan
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi Gayan,
For Self containing access tokens it already has the OOTB capability to
validate the token from different token issuers. the Key Management layer
will only use to validate the Reference tokens.

To prefix, the token Generated from Identity providers, they have their own
ways of differentiating the token, in Simple case, we will use the Regex
validation and for other cases. they could write their own validation.

Thanks

On Tue, Apr 14, 2020 at 11:17 PM gayan gunawardana 
wrote:

> Hi Tharindu,
>
> In #6 Validating the Token, regex validation may work for reference access
> tokens to find corresponding Oauth provider but can we utilize regex
> validation for self-contained access tokens. Is it possible mediate token
> generation and append specific prefix to identify Oauth provider or else
> add mapping to a database table ?
>
> Thanks,
> Gayan
>
> On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna 
> wrote:
>
>> Hi All,
>>
>> We are going to implement Multiple Oauth provider support to WSO2 API
>> Management. From this feature, dev portal users can create their Oauth
>> Application on Pre-Defined OAuth providers.
>>
>> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
>> OAuth provider details.
>>
>>- Client Registration endpoint
>>- Introspection Endpoint
>>- Scope Management Endpoint
>>- Token Endpoint
>>- Revoke Endpoint
>>- Endpoint Security Details
>>- Token Validation Regex.
>>
>> 2. Application developer creates the application defining the Oauth
>> Provider type.
>> 3. Application developer Generates the keys from UI.
>>
>>- Checks for the Consumer Key Generation can be done in the Specific
>>Oauth Provider.
>>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>>Application Details.
>>
>> 4. Application Developer Retrieves the Application details from the UI.
>>
>>- Check for the Oauth provider selected.
>>- Retrieve the Oauth App details from the Respective OAuth Provider
>>selected.
>>
>> 5. Generating Oauth Token
>>
>>- Token Generation call will directly proxy into the token endpoint
>>of Respective Oauth Provider.
>>
>> 6. Validating the Token.
>>
>>- Generated Token from Oauth Providers contains a specific change
>>related to the Token.
>>- Before validating the token we checking the Token was resided to
>>which Oauth provider by checking from the Token Validation Regex given.
>>- Token get validate from elected Oauth Provider and then retrieve
>>the information related to the Token.
>>
>> 7. Delete the Application
>>
>>- Oauth Application will remove from Respective Oauth Provider
>>assigned.
>>
>>
>> I appreciate any thoughts and feedback on this.
>>
>>
>> Thanks
>>
>> *Tharindu Dharmarathna*Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> mobile: *+94779109091*
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> Gayan
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM] Multiple Key Manager support

[gayan gunawardana]

Hi Tharindu,

In #6 Validating the Token, regex validation may work for reference access
tokens to find corresponding Oauth provider but can we utilize regex
validation for self-contained access tokens. Is it possible mediate token
generation and append specific prefix to identify Oauth provider or else
add mapping to a database table ?

Thanks,
Gayan

On Tue, Apr 14, 2020 at 10:13 PM Tharindu Dharmarathna 
wrote:

> Hi All,
>
> We are going to implement Multiple Oauth provider support to WSO2 API
> Management. From this feature, dev portal users can create their Oauth
> Application on Pre-Defined OAuth providers.
>
> 1. Tenant Admin Create Oauth Provider from the Admin portal by providing
> OAuth provider details.
>
>- Client Registration endpoint
>- Introspection Endpoint
>- Scope Management Endpoint
>- Token Endpoint
>- Revoke Endpoint
>- Endpoint Security Details
>- Token Validation Regex.
>
> 2. Application developer creates the application defining the Oauth
> Provider type.
> 3. Application developer Generates the keys from UI.
>
>- Checks for the Consumer Key Generation can be done in the Specific
>Oauth Provider.
>-  Generate the Oauth App on Oauth Provider and retrieves the Oauth
>Application Details.
>
> 4. Application Developer Retrieves the Application details from the UI.
>
>- Check for the Oauth provider selected.
>- Retrieve the Oauth App details from the Respective OAuth Provider
>selected.
>
> 5. Generating Oauth Token
>
>- Token Generation call will directly proxy into the token endpoint of
>Respective Oauth Provider.
>
> 6. Validating the Token.
>
>- Generated Token from Oauth Providers contains a specific change
>related to the Token.
>- Before validating the token we checking the Token was resided to
>which Oauth provider by checking from the Token Validation Regex given.
>- Token get validate from elected Oauth Provider and then retrieve the
>information related to the Token.
>
> 7. Delete the Application
>
>- Oauth Application will remove from Respective Oauth Provider
>assigned.
>
>
> I appreciate any thoughts and feedback on this.
>
>
> Thanks
>
> *Tharindu Dharmarathna*Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> mobile: *+94779109091*
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Gayan
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] [APIM] Multiple Key Manager support

[Tharindu Dharmarathna]

Hi All,

We are going to implement Multiple Oauth provider support to WSO2 API
Management. From this feature, dev portal users can create their Oauth
Application on Pre-Defined OAuth providers.

1. Tenant Admin Create Oauth Provider from the Admin portal by providing
OAuth provider details.

   - Client Registration endpoint
   - Introspection Endpoint
   - Scope Management Endpoint
   - Token Endpoint
   - Revoke Endpoint
   - Endpoint Security Details
   - Token Validation Regex.

2. Application developer creates the application defining the Oauth
Provider type.
3. Application developer Generates the keys from UI.

   - Checks for the Consumer Key Generation can be done in the Specific
   Oauth Provider.
   -  Generate the Oauth App on Oauth Provider and retrieves the Oauth
   Application Details.

4. Application Developer Retrieves the Application details from the UI.

   - Check for the Oauth provider selected.
   - Retrieve the Oauth App details from the Respective OAuth Provider
   selected.

5. Generating Oauth Token

   - Token Generation call will directly proxy into the token endpoint of
   Respective Oauth Provider.

6. Validating the Token.

   - Generated Token from Oauth Providers contains a specific change
   related to the Token.
   - Before validating the token we checking the Token was resided to which
   Oauth provider by checking from the Token Validation Regex given.
   - Token get validate from elected Oauth Provider and then retrieve the
   information related to the Token.

7. Delete the Application

   - Oauth Application will remove from Respective Oauth Provider assigned.


I appreciate any thoughts and feedback on this.


Thanks

*Tharindu Dharmarathna*Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
mobile: *+94779109091*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture