[prev in list] [next in list] [prev in thread] [next in thread]
List: wsas-java-dev
Subject: Re: [Dev] Microgateway support authentication via standard introspection
From: Rajith Roshan <rajithr () wso2 ! com>
Date: 2019-12-17 3:50:05
Message-ID: CAL=cp-deTm=NsFXFSU=i5=9ajm3Fvaycoe=vHHOqjUFN9snNxQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Mon, Dec 16, 2019 at 9:37 PM Harsha Kumara <harshak@wso2.com> wrote:
>
>
> On Mon, Dec 16, 2019 at 9:09 PM Rajith Roshan <rajithr@wso2.com> wrote:
>
>>
>>
>> On Mon, Dec 16, 2019 at 7:57 PM Harsha Kumara <harshak@wso2.com> wrote:
>>
>>>
>>>
>>> On Mon, Dec 16, 2019 at 7:01 PM Rajith Roshan <rajithr@wso2.com> wrote:
>>>
>>>> Hi all,
>>>> Microgateway 3.0.x versions support for opaque oauth2 token are tightly
>>>> bound with APIM key manager component. Right now it validates token using
>>>> the key validation service of APIM, which does the token validation, scope
>>>> validation, subscription validation (and back end jwt generation if
>>>> enabled).
>>>>
>>>> We will need to provide a way to plug microgateway with an oauth2
>>>> server with standard introspect endpoint for token validation. Following
>>>> limitations would incur due to the usage of standard introspection.
>>>>
>>>> 1. Subscription validation can not be enforced.
>>>> 2. Rate limiting using application level throttling
>>>> 3. Rate limiting using subscription level throttling
>>>> 4. Completeness of analytics dashboard data
>>>>
>>>> These are the same limitations, we have when we use a self contains jwt
>>>> token from a third party key manager(STS).
>>>>
>>>> The key manager configuration of the microgateway is below[1]. We can
>>>> add an additional parameter[2] to specify to use an external key manager
>>>> instead of the WSO2 key manager.
>>>>
>>> Can we check the authentication section of RFC for the introspection
>>> endpoint and allow flexibility to configure the possible authentication
>>> mechanism. Basic authentication is basic. But some might use special bearer
>>> token or the clientId. Can we check[1] and provide the flexibility to use
>>> standard authentication for introspection.
>>>
>> The idea here is to support the standard introspection for the token
>> validation in the microgateway. When request comes to the microgateway with
>> bearer header it will validate the token using the standard introspect
>> endpoint. And also it will support wso2 key manager(APIM) token validation
>> as well if external key managers are not used
>>
> Yes that's correct. The introspection API is protected with different
> authentication mechanisms by different providers. Just wanted to check
> whether there are any standard types such as protected with client Id and
> etc and check on the feasibility of giving those options.
>
Yes, since the spec[1] does not explicitly explains the security mechanisms
to protect intorspect endpoint, different vendors might be using different
techniques, we need to come up with a common way to provide security
credentials (user credentials, token and etc) , when using the introspect
endpoint from the microgateway
>
>>> [1]
>>>
>>>>
>>>> Please share your thoughts regarding this.
>>>>
>>>> [1] - [keyManager]
>>>> serverUrl="https://localhost:9443"
>>>> username="admin" // to connect with key validation admin service
>>>> password="admin"
>>>> tokenContext="oauth2"
>>>> timestampSkew=5000
>>>>
>>>> [2] - [keyManager]
>>>> serverUrl="https://localhost:9443"
>>>> username="admin" // to connect with key validation admin service
>>>> password="admin"
>>>> tokenContext="oauth2"
>>>> timestampSkew=5000
>>>> external = true
>>>>
>>>> --
>>>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>>>> (m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
>>>> blog: http://www.rajithr.com
>>>>
>>>> <https://wso2.com/signature>
>>>>
>>>
>>>
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: harshak@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>> *Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
>> (m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
>> blog: http://www.rajithr.com
>>
>> <https://wso2.com/signature>
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: harshak@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>
--
*Rajith Roshan* | Associate Technical Lead | WSO2 Inc.
(m) +94-717-064-214 | (e) rajithr@wso2.com <shenavi@wso2.com>
blog: http://www.rajithr.com
<https://wso2.com/signature>
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Mon, Dec 16, 2019 at 9:37 PM Harsha Kumara <<a \
href="mailto:harshak@wso2.com">harshak@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 9:09 PM \
Rajith Roshan <<a href="mailto:rajithr@wso2.com" \
target="_blank">rajithr@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 7:57 PM \
Harsha Kumara <<a href="mailto:harshak@wso2.com" \
target="_blank">harshak@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 7:01 PM \
Rajith Roshan <<a href="mailto:rajithr@wso2.com" \
target="_blank">rajithr@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi all,<div>Microgateway 3.0.x \
versions support for opaque oauth2 token are tightly bound with APIM key manager \
component. Right now it validates token using the key validation service of APIM, \
which does the token validation, scope validation, subscription validation (and back \
end jwt generation if enabled).</div><div><br></div><div>We will need to provide a \
way to plug microgateway with an oauth2 server with standard introspect endpoint for \
token validation. Following limitations would incur due to the usage of standard \
introspection.</div><div><br></div><div>1. Subscription validation can not be \
enforced.</div><div>2. Rate limiting using application level throttling</div><div>3. \
Rate limiting using subscription level throttling</div><div>4. Completeness of \
analytics dashboard data</div><div><br></div><div>These are the same limitations, we \
have when we use a self contains jwt token from a third party key \
manager(STS).</div><div><br></div><div>The key manager configuration of the \
microgateway is below[1]. We can add an additional parameter[2] to specify to use an \
external key manager instead of the WSO2 key manager. \
</div></div></blockquote><div>Can we check the authentication section of RFC for the \
introspection endpoint and allow flexibility to configure the possible authentication \
mechanism. Basic authentication is basic. But some might use special bearer token or \
the clientId. Can we check[1] and provide the flexibility to use standard \
authentication for introspection.</div></div></div></blockquote><div>The idea here is \
to support the standard introspection for the token validation in the microgateway. \
When request comes to the microgateway with bearer header it will validate the token \
using the standard introspect endpoint. And also it will support wso2 key \
manager(APIM) token validation as well if external key managers are not used \
</div></div></div></blockquote><div>Yes that's correct. The introspection API is \
protected with different authentication mechanisms by different providers. Just \
wanted to check whether there are any standard types such as protected with client Id \
and etc and check on the feasibility of giving those \
options.</div></div></div></blockquote><div>Yes, since the spec[1] does not \
explicitly explains the security mechanisms to protect intorspect endpoint, different \
vendors might be using different techniques, we need to come up with a common way to \
provide security credentials (user credentials, token and etc) , when using the \
introspect endpoint from the microgateway</div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><div><br></div><div>[1] </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Please share \
your thoughts regarding this.</div><div><br></div><div>[1] - \
[keyManager]<br>serverUrl="<a href="https://localhost:9443" \
target="_blank">https://localhost:9443</a>"<br>username="admin" // \
to connect with key validation admin \
service<br>password="admin"<br>tokenContext="oauth2"<br>timestampSkew=5000</div><div><br></div><div>[2] \
- [keyManager]<br>serverUrl="<a href="https://localhost:9443" \
target="_blank">https://localhost:9443</a>"<br>username="admin" // \
to connect with key validation admin \
service<br>password="admin"<br>tokenContext="oauth2"<br>timestampSkew=5000</div><div>external \
= true<br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
style="font-size:12.8px">WSO2 Inc.</span><div><span style="font-size:12.8px">(m) \
+94-717-064-214 | (e) <a href="mailto:shenavi@wso2.com" \
style="color:rgb(17,85,204)" target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div><div><b>Harsha \
Kumara<br></b></div><div><b><br></b></div>Technical Lead, WSO2 Inc.<br></div>Mobile: \
+94775505618<br></div><div>Email: <a href="mailto:harshak@wso2.coim" \
target="_blank">harshak@wso2.coim</a></div>Blog: <a \
href="http://harshcreationz.blogspot.com" \
target="_blank">harshcreationz.blogspot.com</a><br></div></div><div \
dir="ltr"><br></div><div dir="ltr"><div>GET INTEGRATION AGILE</div><div>Integration \
Agility for Digitally Driven \
Business</div></div></div></div></div></div></div></div></div> </blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div><b>Rajith Roshan</b> | Associate Technical Lead | <span \
style="font-size:12.8px">WSO2 Inc.</span><div><span style="font-size:12.8px">(m) \
+94-717-064-214 | (e) <a href="mailto:shenavi@wso2.com" \
style="color:rgb(17,85,204)" target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div><div><b>Harsha \
Kumara<br></b></div><div><b><br></b></div>Technical Lead, WSO2 Inc.<br></div>Mobile: \
+94775505618<br></div><div>Email: <a href="mailto:harshak@wso2.coim" \
target="_blank">harshak@wso2.coim</a></div>Blog: <a \
href="http://harshcreationz.blogspot.com" \
target="_blank">harshcreationz.blogspot.com</a><br></div></div><div \
dir="ltr"><br></div><div dir="ltr"><div>GET INTEGRATION AGILE</div><div>Integration \
Agility for Digitally Driven \
Business</div></div></div></div></div></div></div></div></div> </blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div><b>Rajith Roshan</b> | Associate \
Technical Lead | <span style="font-size:12.8px">WSO2 Inc.</span><div><span \
style="font-size:12.8px">(m) +94-717-064-214 | (e) <a \
href="mailto:shenavi@wso2.com" style="color:rgb(17,85,204)" \
target="_blank">rajithr@wso2.com</a></span><span \
style="font-size:12.8px"><br></span></div><div>blog: <a href="http://www.rajithr.com" \
target="_blank">http://www.rajithr.com</a></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><a \
href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-mail-signature-general.png" \
width="200" height="35"></a></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic