[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: Re: [Dev] Microgateway support authentication via standard introspection
From: Rajith Roshan <rajithr () wso2 ! com>
Date: 2020-01-02 6:17:31
Message-ID: CAL=cp-dqt0bJj9X=dc3SPwi_F75SfY0ELFUOXMKiFa82pGcjJg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Harsha,
We thought of adding the following configuration sections[1] to in order to
communicate with secured introspect endpoint.
Currently we will be supporting basic and oauth2 for the introspect
endpoints.
Under the oauth2 it will support following 3 types.
1. Get a token with client credential grant in order to invoke introspect
endpoint
2. Get a token with password grant in order to invoke introspect endpoint
3. Providing the direct access token for the introspect endpoint.
In all these scenarios if the refresh config is enabled, it should
automatically refresh the token when calling introspect endpoint.
[1] -
[keyManager]
serverUrl="https://localhost:9443"
tokenContext="oauth2"
timestampSkew=5000
external=false
[keymanager.security.basic]
enabled= true
username="admin"
password="admin"
[keymanager.security.oauth2]
enabled = false
tokenUrl = ""
[keymanager.security.oauth2.clientCredential]
enabled = false;
clientId = ""
clientSecret = ""
scopes = ""
[keymanager.security.oauth2.password]
enabled = false
clientId = ""
clientSecret = ""
scopes = ""
username= ""
password = ""
[keymanager.security.oauth2.directToken]
enabled = false
accessToken = ""
[keymanager.security.oauth2.refresh]
enabled = false
refreshUrl = ""
scopes = ""
refreshToken = ""
clientId = ""
clientSecret = ""
On Tue, Dec 17, 2019 at 9:08 AM Rajith Roshan <rajithr@wso2.com> wrote:
>
>
> On Mon, Dec 16, 2019 at 9:37 PM Harsha Kumara <harshak@wso2.com> wrote:
>
>>
>>
>> On Mon, Dec 16, 2019 at 9:09 PM Rajith Roshan <rajithr@wso2.com> wrote:
>>
>>>
>>>
>>> On Mon, Dec 16, 2019 at 7:57 PM Harsha Kumara <harshak@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Dec 16, 2019 at 7:01 PM Rajith Roshan <rajithr@wso2.com> wrote:
>>>>
>>>>> Hi all,
>>>>> Microgateway 3.0.x versions support for opaque oauth2 token are
>>>>> tightly bound with APIM key manager component. Right now it validates token
>>>>> using the key validation service of APIM, which does the token validation,
>>>>> scope validation, subscription validation (and back end jwt generation if
>>>>> enabled).
>>>>>
>>>>> We will need to provide a way to plug microgateway with an oauth2
>>>>> server with standard introspect endpoint for token validation. Following
>>>>> limitations would incur due to the usage of standard introspection.
>>>>>
>>>>> 1. Subscription validation can not be enforced.
>>>>> 2. Rate limiting using application level throttling
>>>>> 3. Rate limiting using subscription level throttling
>>>>> 4. Completeness of analytics dashboard data
>>>>>
>>>>> These are the same limitations, we have when we use a self
>>>>> contains jwt token from a third party key manager(STS).
>>>>>
>>>>> The key manager configuration of the microgateway is below[1]. We can
>>>>> add an additional parameter[2] to specify to use an external key manager
>>>>> instead of the WSO2 key manager.
>>>>>
>>>> Can we check the authentication section of RFC for the introspection
>>>> endpoint and allow flexibility to configure the possible authentication
>>>> mechanism. Basic authentication is basic. But some might use special bearer
>>>> token or the clientId. Can we check[1] and provide the flexibility to use
>>>> standard authentication for introspection.
>>>>
>>> The idea here is to support the standard introspection for the token
>>> validation in the microgateway. When request comes to the microgateway with
>>> bearer header it will validate the token using the standard introspect
>>> endpoint. And also it will support wso2 key manager(APIM) token validation
>>> as well if external key managers are not used
>>>
>> Yes that's correct. The introspection API is protected with different
>> authentication mechanisms by different providers. Just wanted to check
>> whether there are any standard types such as protected with client Id and
>> etc and check on the feasibility of giving those options.
>>
> Yes, since the spec[1] does not explicitly explains the security
> mechanisms to protect intorspect endpoint, different vendors might be using
> different techniques, we need to come up with a common way to provide
> security credentials (user credentials, token and etc) , when using the
> introspect endpoint from the microgateway
>
>>
>>>> [1]
>>>>
>>>>>
>>>>> Please share your thoughts regarding this.
>>>>>
>>>>> [1] - [keyManager]
>>>>> serverUrl="https://localhost:9443"
>>>>> username="admin" // to connect with key validation admin service
>>>>> password="admin"
>>>>> tokenContext="oauth2"
>>>>> timestampSkew=5000
>>>>>
>>>>> [2] - [keyManager]
>>>>> serverUrl="https://localhost:9443"
>>>>> username="admin" // to connect with key validation admin service
>>>>> password="admin"
>>>>> tokenContext="oauth2"
>>>>> timestampSkew=5000
>>>>> external = true
>>>>>
>>>>> --
>>>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>>>>> (m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
>>>>> blog: http://www.rajithr.com
>>>>>
>>>>> <https://wso2.com/signature>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Harsha Kumara*
>>>>
>>>> Technical Lead, WSO2 Inc.
>>>> Mobile: +94775505618
>>>> Email: harshak@wso2.coim
>>>> Blog: harshcreationz.blogspot.com
>>>>
>>>> GET INTEGRATION AGILE
>>>> Integration Agility for Digitally Driven Business
>>>>
>>>
>>>
>>> --
>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>>> (m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
>>> blog: http://www.rajithr.com
>>>
>>> <https://wso2.com/signature>
>>>
>>
>>
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: harshak@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
> (m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
> blog: http://www.rajithr.com
>
> <https://wso2.com/signature>
>
--
*Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
(m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
blog: http://www.rajithr.com
<https://wso2.com/signature>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Harsha,<div><br></div><div>We thought of adding the following \
configuration sections[1] to in order to communicate with secured introspect \
endpoint.</div><div>Currently we will be supporting basic and oauth2 for the \
introspect endpoints.</div><div>Under the oauth2 it will support following 3 \
types.</div><div>1. Get a token with client credential grant in order to invoke \
introspect endpoint</div><div>2. Get a token with password grant in order to invoke \
introspect endpoint</div><div>3. Providing the direct access token for the introspect \
endpoint.</div><div><br></div><div>In all these scenarios if the refresh config is \
enabled, it should automatically refresh the token when calling introspect \
endpoint.</div><div><br></div><div><br></div><div>[1] - </div><div><div \
style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:Menlo,Monaco,"Courier \
New",monospace;font-size:12px;line-height:18px;white-space:pre"><div>[keyManager]</div><div><span \
style="color:rgb(86,156,214)">serverUrl</span>=<span \
style="color:rgb(206,145,120)">"<a \
href="https://localhost:9443">https://localhost:9443</a>"</span></div><div><span \
style="color:rgb(86,156,214)">tokenContext</span>=<span \
style="color:rgb(206,145,120)">"oauth2"</span></div><div><span \
style="color:rgb(86,156,214)">timestampSkew</span>=5000</div><div><span \
style="color:rgb(86,156,214)">external</span>=false</div><div> \
[keymanager.security.basic]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span>= true</div><div> <span \
style="color:rgb(86,156,214)">username</span>=<span \
style="color:rgb(206,145,120)">"admin"</span></div><div> <span \
style="color:rgb(86,156,214)">password</span>=<span \
style="color:rgb(206,145,120)">"admin"</span></div><div> \
[keymanager.security.oauth2]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span> = false</div><div> <span \
style="color:rgb(86,156,214)">tokenUrl</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> \
[keymanager.security.oauth2.clientCredential]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span> = false<span \
style="color:rgb(106,153,85)">;</span></div><div> <span \
style="color:rgb(86,156,214)">clientId</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">clientSecret</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">scopes</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> \
[keymanager.security.oauth2.password]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span> = false</div><div> <span \
style="color:rgb(86,156,214)">clientId</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">clientSecret</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">scopes</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">username</span>= <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">password</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> \
[keymanager.security.oauth2.directToken]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span> = false</div><div> <span \
style="color:rgb(86,156,214)">accessToken</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> \
[keymanager.security.oauth2.refresh]</div><div> <span \
style="color:rgb(86,156,214)">enabled</span> = false</div><div> <span \
style="color:rgb(86,156,214)">refreshUrl</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">scopes</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">refreshToken</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">clientId</span> = <span \
style="color:rgb(206,145,120)">""</span></div><div> <span \
style="color:rgb(86,156,214)">clientSecret</span> = <span \
style="color:rgb(206,145,120)">""</span></div></div></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 17, 2019 at 9:08 AM \
Rajith Roshan <<a href="mailto:rajithr@wso2.com">rajithr@wso2.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Mon, Dec 16, 2019 at 9:37 PM Harsha Kumara <<a href="mailto:harshak@wso2.com" \
target="_blank">harshak@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 9:09 PM \
Rajith Roshan <<a href="mailto:rajithr@wso2.com" \
target="_blank">rajithr@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 7:57 PM \
Harsha Kumara <<a href="mailto:harshak@wso2.com" \
target="_blank">harshak@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 7:01 PM \
Rajith Roshan <<a href="mailto:rajithr@wso2.com" \
target="_blank">rajithr@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi all,<div>Microgateway 3.0.x \
versions support for opaque oauth2 token are tightly bound with APIM key manager \
component. Right now it validates token using the key validation service of APIM, \
which does the token validation, scope validation, subscription validation (and back \
end jwt generation if enabled).</div><div><br></div><div>We will need to provide a \
way to plug microgateway with an oauth2 server with standard introspect endpoint for \
token validation. Following limitations would incur due to the usage of standard \
introspection.</div><div><br></div><div>1. Subscription validation can not be \
enforced.</div><div>2. Rate limiting using application level throttling</div><div>3. \
Rate limiting using subscription level throttling</div><div>4. Completeness of \
analytics dashboard data</div><div><br></div><div>These are the same limitations, we \
have when we use a self contains jwt token from a third party key \
manager(STS).</div><div><br></div><div>The key manager configuration of the \
microgateway is below[1]. We can add an additional parameter[2] to specify to use an \
external key manager instead of the WSO2 key manager. \
</div></div></blockquote><div>Can we check the authentication section of RFC for the \
introspection endpoint and allow flexibility to configure the possible authentication \
mechanism. Basic authentication is basic. But some might use special bearer token or \
the clientId. Can we check[1] and provide the flexibility to use standard \
authentication for introspection.</div></div></div></blockquote><div>The idea here is \
to support the standard introspection for the token validation in the microgateway. \
When request comes to the microgateway with bearer header it will validate the token \
using the standard introspect endpoint. And also it will support wso2 key \
manager(APIM) token validation as well if external key managers are not used \
</div></div></div></blockquote><div>Yes that's correct. The introspection API is \
protected with different authentication mechanisms by different providers. Just \
wanted to check whether there are any standard types such as protected with client Id \
and etc and check on the feasibility of giving those \
options.</div></div></div></blockquote><div>Yes, since the spec[1] does not \
explicitly explains the security mechanisms to protect intorspect endpoint, different \
vendors might be using different techniques, we need to come up with a common way to \
provide security credentials (user credentials, token and etc) , when using the \
introspect endpoint from the microgateway</div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><div><br></div><div>[1] </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Please share \
your thoughts regarding this.</div><div><br></div><div>[1] - \
[keyManager]<br>serverUrl="<a href="https://localhost:9443" \
target="_blank">https://localhost:9443</a>"<br>username="admin" // \
to connect with key validation admin \
service<br>password="admin"<br>tokenContext="oauth2"<br>timestampSkew=5000</div><div><br></div><div>[2] \
- [keyManager]<br>serverUrl="<a href="https://localhost:9443" \
target="_blank">https://localhost:9443</a>"<br>username="admin" // \
to connect with key validation admin \
service<br>password="admin"<br>tokenContext="oauth2"<br>timestampSkew=5000</div><div>external \
= true<br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
style="font-size:12.8px">WSO2 Inc.</span><div><span style="font-size:12.8px">(m) \
+94-717-064-214 | (e) <a href="mailto:shenavi@wso2.com" \
style="color:rgb(17,85,204)" target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div><div><b>Harsha \
Kumara<br></b></div><div><b><br></b></div>Technical Lead, WSO2 Inc.<br></div>Mobile: \
+94775505618<br></div><div>Email: <a href="mailto:harshak@wso2.coim" \
target="_blank">harshak@wso2.coim</a></div>Blog: <a \
href="http://harshcreationz.blogspot.com" \
target="_blank">harshcreationz.blogspot.com</a><br></div></div><div \
dir="ltr"><br></div><div dir="ltr"><div>GET INTEGRATION AGILE</div><div>Integration \
Agility for Digitally Driven \
Business</div></div></div></div></div></div></div></div></div> </blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
style="font-size:12.8px">WSO2 Inc.</span><div><span style="font-size:12.8px">(m) \
+94-717-064-214 | (e) <a href="mailto:shenavi@wso2.com" \
style="color:rgb(17,85,204)" target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div><div><b>Harsha \
Kumara<br></b></div><div><b><br></b></div>Technical Lead, WSO2 Inc.<br></div>Mobile: \
+94775505618<br></div><div>Email: <a href="mailto:harshak@wso2.coim" \
target="_blank">harshak@wso2.coim</a></div>Blog: <a \
href="http://harshcreationz.blogspot.com" \
target="_blank">harshcreationz.blogspot.com</a><br></div></div><div \
dir="ltr"><br></div><div dir="ltr"><div>GET INTEGRATION AGILE</div><div>Integration \
Agility for Digitally Driven \
Business</div></div></div></div></div></div></div></div></div> </blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
style="font-size:12.8px">WSO2 Inc.</span><div><span style="font-size:12.8px">(m) \
+94-717-064-214 | (e) <a href="mailto:shenavi@wso2.com" \
style="color:rgb(17,85,204)" target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic