For the regular gateway, I don't think it is right for it to behave
differently for regular tokens and JWT formatted tokens. Since we do
subscription validation for regular tokens we should probably do same for
JWT formatted tokens as well (whenever the subscriptions array exists on
the token). If the subscriptions array does not exist (meaning it is a
token obtained from a 3rd party) then it should be fine to allow access to
the resource based on scope only.
For the microgateway too, we should probably go with the same approach to
keep things consistent. But the microgateway currently does not perform
subs validations when the subscriptions array is empty. We should probably
change that behavior and give an option in the microgateway to disable
subscription validations. This would be for the purpose of maintaining
backwards compatibility only.
Thanks,
NuwanD.
On Mon, Jul 1, 2019 at 11:42 AM Harsha Kumara <hars...@wso2.com> wrote:
>
>
> On Mon, Jul 1, 2019 at 11:35 AM Chathura Ekanayake <chath...@wso2.com>
> wrote:
>
>> If it is needed to support subscriptions with third party KMs, do we have
>> possible approaches?
>>
> With this approach we can support for third party KMs without an issue.
>
>> E.g. Maintain application id -> subscribed APIs mapping in APIM KM and
>> let APIM KMs to generate JWTs by fetching necessary information (scopes,
>> application data) from a third party KM.
>>
> External key managers most of the time will not aware about the scopes,
> subscriptions and etc. May be if they want these level of validation, it
> would be best to use JWT grant where they can exchange the JWT with an
> access token.
>
>
>>
>> On Sat, Jun 29, 2019 at 9:38 AM Harsha Kumara <hars...@wso2.com> wrote:
>>
>>>
>>>
>>> On Sat, Jun 29, 2019 at 9:31 AM Rajith Roshan <raji...@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Sat, Jun 29, 2019 at 9:17 AM Harsha Kumara <hars...@wso2.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 29, 2019 at 9:12 AM Malintha Amarasinghe <
>>>>> malint...@wso2.com> wrote:
>>>>>
>>>>>> I think we can make it optional.
>>>>>> If the particular app (token) doesn't have any subscriptions, the
>>>>>> APIM IDP will always send an empty subscribedAPIs array.
>>>>>> "subscribedAPIs": []
>>>>>>
>>>>>> That means there are no subscriptions for this app (token) hence we
>>>>>> can fail the validation.
>>>>>> If the subscribedAPIs element is not available at all, I think we can
>>>>>> safely assume that the JWT is from a different IDP. If it is trusted, we
>>>>>> can bypass subscription validation.
>>>>>>
>>>>> That's the approach which we already using in the MG as well.
>>>>>
>>>> The MGW approach is slightly different. MG validates subscription only
>>>> if the array at least contains one element. Sending an empty array will
>>>> also pass in the MGW . This is because when APIM key manager is used
>>>> customers might not want to enforce subscriptions.
>>>>
>>> I think only difference is allowing request to flow through when
>>> subscriptions list is empty. This should be done because of developer first
>>> approach. I think we can use same way as @Malintha Amarasinghe
>>> <malint...@wso2.com> mentioned.
>>>
>>>> In some cases, subscription validation can be performed in IDP side
>>>>>> using scopes itself. So I don't think bypassing the validation would be a
>>>>>> big issue.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 29, 2019 at 5:14 AM Rukshan Premathunga <ruks...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 28, 2019 at 5:16 PM Chamod Samarajeewa <cha...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Johann,
>>>>>>>>
>>>>>>>> How about supporting 3rd party Key Manager generated JWT access
>>>>>>>>> tokens? Will that work? 'jti' is an optional field as I remember. How
>>>>>>>>> would
>>>>>>>>> caching be impacted in that case?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Good that you pointed out that. Then, we will have to use the whole
>>>>>>>> token as the key to the cache entry.
>>>>>>>>
>>>>>>> 3rd party KM doesn't know about the APIM subscription and I don't
>>>>>>> think it is possible to customize at the IDP side. Other claims can be
>>>>>>> included using customization or configuration.
>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jun 28, 2019 at 11:54 AM Fazlan Nazeem <fazl...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Chamod,
>>>>>>>>>
>>>>>>>>> On Fri, Jun 28, 2019 at 10:48 AM Chamod Samarajeewa <
>>>>>>>>> cha...@wso2.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Harsha,
>>>>>>>>>>
>>>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>>>>> implement the revocation support as well as we already have the
>>>>>>>>>>> backend
>>>>>>>>>>> implementation?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Yes, we will.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I hope we are planning to follow the same real-time and persistent
>>>>>>>>> approach(with etc) similar to the mcirogateway for this. Or is there a
>>>>>>>>> different plan?
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Best regards.
>>>>>>>>>>
>>>>>>>>>> On Fri, Jun 28, 2019 at 10:44 AM Harsha Kumara <hars...@wso2.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> @Chamod Samarajeewa <cha...@wso2.com> Are we also going to
>>>>>>>>>>> implement the revocation support as well as we already have the
>>>>>>>>>>> backend
>>>>>>>>>>> implementation?
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 28, 2019 at 10:37 AM Chamod Samarajeewa <
>>>>>>>>>>> cha...@wso2.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi All,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm currently working on developing a new feature to support
>>>>>>>>>>>> JWT authentication for API Gateway.
>>>>>>>>>>>> [image: JWT-Auth.jpg]
>>>>>>>>>>>>
>>>>>>>>>>>> *Approach*
>>>>>>>>>>>> The API Authentication Handler will forward the request to
>>>>>>>>>>>> OAuth Authenticator. Then the OAuth Authenticator will identify
>>>>>>>>>>>> whether the
>>>>>>>>>>>> token is of type OAuth or JWT. If a JWT token is found the request
>>>>>>>>>>>> will be
>>>>>>>>>>>> passed to the JWT validator which will be used to verify the token
>>>>>>>>>>>> signature and populate the Authentication Context information.
>>>>>>>>>>>>
>>>>>>>>>>>> A sample payload of JWT token which is used to populate the
>>>>>>>>>>>> Authentication Context.
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>> "aud": "http://org.wso2.apimgt/gateway";,
>>>>>>>>>>>> "sub": "admin@carbon.super",
>>>>>>>>>>>> "application": {
>>>>>>>>>>>> "owner": "admin",
>>>>>>>>>>>> "tier": "Unlimited",
>>>>>>>>>>>> "name": "DefaultApplication",
>>>>>>>>>>>> "id": 1
>>>>>>>>>>>> },
>>>>>>>>>>>> "scope": "am_application_scope default",
>>>>>>>>>>>> "iss": "https://localhost:9443/oauth2/token";,
>>>>>>>>>>>> "keytype": "PRODUCTION",
>>>>>>>>>>>> "subscribedAPIs": [
>>>>>>>>>>>> {
>>>>>>>>>>>> "subscriberTenantDomain": "carbon.super",
>>>>>>>>>>>> "name": "PizzaShackAPI",
>>>>>>>>>>>> "context": "/pizzashack/1.0.0",
>>>>>>>>>>>> "publisher": "admin",
>>>>>>>>>>>> "version": "1.0.0",
>>>>>>>>>>>> "subscriptionTier": "Gold"
>>>>>>>>>>>> }
>>>>>>>>>>>> ],
>>>>>>>>>>>> "consumerKey": "tRfDHrQNasyVaCVv1Ej4GnR2bD0a",
>>>>>>>>>>>> "exp": 1561701126,
>>>>>>>>>>>> "iat": 1561697526,
>>>>>>>>>>>> "jti": "39d826ca-a56b-4637-b799-sa1ba4bbf24d"
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> We are hoping to use the same caches used for OAuth tokens to
>>>>>>>>>>>> store the JWT tokens as well. In that scenario, the payload will
>>>>>>>>>>>> be stored
>>>>>>>>>>>> as a JSONObject in the cache as the value and the key will be the
>>>>>>>>>>>> "jti"
>>>>>>>>>>>> value (Unique identifier of the token) of the token.
>>>>>>>>>>>>
>>>>>>>>>>>> The swagger stored in the gateway as a local entry will be used
>>>>>>>>>>>> to
>>>>>>>>>>>> - retrieve the missing information in the payload of JWT token
>>>>>>>>>>>> such as "API tier"
>>>>>>>>>>>> - retrieve scopes bound to the resource for scope validation
>>>>>>>>>>>>
>>>>>>>>>>>> The related Git issue can be found here [1]. I would really
>>>>>>>>>>>> appreciate any feedback. Thank you.
>>>>>>>>>>>>
>>>>>>>>>>>> Best regards,
>>>>>>>>>>>> Chamod.
>>>>>>>>>>>>
>>>>>>>>>>>> [1] - https://github.com/wso2/product-apim/issues/5115
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> *Harsha Kumara*
>>>>>>>>>>>
>>>>>>>>>>> Technical Lead, WSO2 Inc.
>>>>>>>>>>> Mobile: +94775505618
>>>>>>>>>>> Email: hars...@wso2.coim
>>>>>>>>>>> Blog: harshcreationz.blogspot.com
>>>>>>>>>>>
>>>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>>>> GET INTEGRATION AGILE
>>>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Thanks & Regards,
>>>>>>>>>
>>>>>>>>> *Fazlan Nazeem | *Associate Technical Lead | WSO2 Inc
>>>>>>>>> Mobile : +94772338839 | fazl...@wso2.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Chamod Samarajeewa | Software Engineer | WSO2 Inc.
>>>>>>>> (m) +94710397382 | Email: cha...@wso2.com <dimi...@wso2.com>
>>>>>>>> GET INTEGRATION AGILE
>>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Rukshan C. Premathunga | Associate Technical Lead | WSO2 Inc.
>>>>>>> (m) +94711822074 | (w) +94112145345 | Email: ruks...@wso2.com
>>>>>>> GET INTEGRATION AGILE
>>>>>>> Integration Agility for Digitally Driven Business
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Malintha Amarasinghe
>>>>>> *WSO2, Inc. - lean | enterprise | middleware*
>>>>>> http://wso2.com/
>>>>>>
>>>>>> Mobile : +94 712383306
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Harsha Kumara*
>>>>>
>>>>> Technical Lead, WSO2 Inc.
>>>>> Mobile: +94775505618
>>>>> Email: hars...@wso2.coim
>>>>> Blog: harshcreationz.blogspot.com
>>>>>
>>>>> GET INTEGRATION AGILE
>>>>> Integration Agility for Digitally Driven Business
>>>>>
>>>>
>>>>
>>>> --
>>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>>>> (m) +94-717-064-214 | (e) raji...@wso2.com <shen...@wso2.com>
>>>>
>>>> <https://wso2.com/signature>
>>>>
>>>
>>>
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>
--
*Nuwan Dias* | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) nuw...@wso2.com
[image: Signature.jpg]
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
