[Architecture] [APIM] Cannot secure APIs with Mutual TLS and OAuth2

2019-03-05 Thread Johann Nallathamby
APIM Team, In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both

[Architecture] Fwd: Basic Authentication for APIM Gateway

2019-03-05 Thread Chamod Samarajeewa
-- Forwarded message - From: Chamod Samarajeewa Date: Tue, Mar 5, 2019 at 4:35 PM Subject: Re: Basic Authentication for APIM Gateway To: Nadeesha Gamage Cc: Harsha Kumara , , Nuwan Dias < nuw...@wso2.com>, APIM Team Hi Nadeesha, How will this impact statistics? Will it be poss

Re: [Architecture] [APIM] Cannot secure APIs with Mutual TLS and OAuth2

2019-03-05 Thread Johann Nallathamby
Also a related to question to this: The latest version of IS supports service provider wise certificate uploading for mutual TLS authentication and private key JWT authentication. So I guess if APIM uses that feature internally to manage the mapping between OAuth2 client and certificates, throttlin

Re: [Architecture] [APIM] Cannot secure APIs with Mutual TLS and OAuth2

2019-03-05 Thread Harsha Kumara
On Tue, Mar 5, 2019 at 4:57 AM Johann Nallathamby wrote: > APIM Team, > > In API Manager it seems like if we check the option to secure APIs using > Mutual TLS security AND OAuth2 security for APIs, API Manager checks if > either of the mechanisms are in place. There is no way to enforce both on

Re: [Architecture] [APIM] Cannot secure APIs with Mutual TLS and OAuth2

2019-03-05 Thread Chathura Ekanayake
On Tue, Mar 5, 2019 at 5:56 PM Johann Nallathamby wrote: > Also a related to question to this: > The latest version of IS supports service provider wise certificate > uploading for mutual TLS authentication and private key JWT authentication. > So I guess if APIM uses that feature internally to m

[Architecture] [IAM] Validating Scopes during Access Token Issuing Phase

2019-03-05 Thread Johann Nallathamby
IAM Team, We've implemented XACML based scope authorization during access token validation phase. However, it is also important to do this authorization during authorization_code, access_token, refresh_token and id_token, issuing phase IMO. Especially for self-contained token use cases, we need to

Re: [Architecture] [IAM] Validating Scopes during Access Token Issuing Phase

2019-03-05 Thread Ishara Karunarathna
HI Johann, On Wed, Mar 6, 2019 at 12:19 PM Johann Nallathamby wrote: > IAM Team, > > We've implemented XACML based scope authorization during access token > validation phase. However, it is also important to do this authorization > during authorization_code, access_token, refresh_token and id_to