[APIM] Cannot secure APIs with Mutual TLS and OAuth2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[APIM] Cannot secure APIs with Mutual TLS and OAuth2

Johann Nallathamby
APIM Team,

In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both at the same time for APIs, for additional security. Naturally Mutual TLS is more secure than OAuth2 tokens, however for throttling and analytics to work we need to enforce OAuth2 as well. Otherwise customers could bypass throttling and analytics.

I would have thought ticking both checkboxes means both have to be enforced. Isn't that a more reasonable behavior? Can we support both 'AND' and 'OR'?

Thanks & Regards,
Johann.

--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [APIM] Cannot secure APIs with Mutual TLS and OAuth2

Johann Nallathamby
Also a related to question to this:
The latest version of IS supports service provider wise certificate uploading for mutual TLS authentication and private key JWT authentication. So I guess if APIM uses that feature internally to manage the mapping between OAuth2 client and certificates, throttling and analytics will work seamlessly even without the need of OAuth2 access tokens.

Again currently I think the story is a little disconnected between IS and API Manager. We need to revisit the full story here and fill the gaps.
1. What IS have implemented is mutual TLS and private key JWT authentication for token endpoint, which is what it hosts.
2. API Manager has to implement securing APIs with mutual TLS and private key JWT.
3. Both will internally use the IS service provider certificate mapping feature of IS.

Then the full story is complete I suppose.

Any thoughts?

[1] "[Architecture] OAuth clients based on a trusted CA" in [hidden email]

Thanks & Regards,
Johann.

On Tue, Mar 5, 2019 at 3:26 PM Johann Nallathamby <[hidden email]> wrote:
APIM Team,

In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both at the same time for APIs, for additional security. Naturally Mutual TLS is more secure than OAuth2 tokens, however for throttling and analytics to work we need to enforce OAuth2 as well. Otherwise customers could bypass throttling and analytics.

I would have thought ticking both checkboxes means both have to be enforced. Isn't that a more reasonable behavior? Can we support both 'AND' and 'OR'?

Thanks & Regards,
Johann.

--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg


--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [APIM] Cannot secure APIs with Mutual TLS and OAuth2

Harsha Kumara-2
In reply to this post by Johann Nallathamby


On Tue, Mar 5, 2019 at 4:57 AM Johann Nallathamby <[hidden email]> wrote:
APIM Team,

In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both at the same time for APIs, for additional security. Naturally Mutual TLS is more secure than OAuth2 tokens, however for throttling and analytics to work we need to enforce OAuth2 as well. Otherwise customers could bypass throttling and analytics.

I would have thought ticking both checkboxes means both have to be enforced. Isn't that a more reasonable behavior? Can we support both 'AND' and 'OR'?
It's a good idea to support both. We need to tweak our implementation to support this.  

Thanks & Regards,
Johann.

--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [APIM] Cannot secure APIs with Mutual TLS and OAuth2

Chathura Ekanayake
In reply to this post by Johann Nallathamby


On Tue, Mar 5, 2019 at 5:56 PM Johann Nallathamby <[hidden email]> wrote:
Also a related to question to this:
The latest version of IS supports service provider wise certificate uploading for mutual TLS authentication and private key JWT authentication. So I guess if APIM uses that feature internally to manage the mapping between OAuth2 client and certificates, throttling and analytics will work seamlessly even without the need of OAuth2 access tokens.

Again currently I think the story is a little disconnected between IS and API Manager. We need to revisit the full story here and fill the gaps.
1. What IS have implemented is mutual TLS and private key JWT authentication for token endpoint, which is what it hosts.
2. API Manager has to implement securing APIs with mutual TLS and private key JWT.
3. Both will internally use the IS service provider certificate mapping feature of IS.

+1 for supporting both authentication methods.
In this case, does the APIM gateway use a separate gateway specific certificate to establish mutual TLS connection with KM? If we want to use the same client certificate for this connection, do we have to provide both private and public keys of the client to the gateway?
 

Then the full story is complete I suppose.

Any thoughts?

[1] "[Architecture] OAuth clients based on a trusted CA" in [hidden email]

Thanks & Regards,
Johann.

On Tue, Mar 5, 2019 at 3:26 PM Johann Nallathamby <[hidden email]> wrote:
APIM Team,

In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both at the same time for APIs, for additional security. Naturally Mutual TLS is more secure than OAuth2 tokens, however for throttling and analytics to work we need to enforce OAuth2 as well. Otherwise customers could bypass throttling and analytics.

I would have thought ticking both checkboxes means both have to be enforced. Isn't that a more reasonable behavior? Can we support both 'AND' and 'OR'?

Thanks & Regards,
Johann.

--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg


--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture