Re: Basic Authentication for APIM Gateway

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Chamod Samarajeewa

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Harsha Kumara-2
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Chamod Samarajeewa
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Chamod Samarajeewa
Hi all,

We have currently used the AuthenticationAdmin service to authenticate a user given the username and password(Basic Authentication). The next step is to validate whether the scopes bound to a resource are matched with the user roles. In this case, we might have to access the KeyManager several times as mentioned below.

1) Validate user based on username and password
2) To check whether the resource has a scope and if so request the scopes
3) Request user roles if scopes are bound to the resource

We thought we can minimize the performance degradation which can happen due to multiple requests to the Key Manager as below.

Solution :

When a user publishes an API, the scopes bound to the API should be added to the Synapse-config. Then, at the runtime we can read the synapse configuration of API to check whether the resource has a scope bound and if so what are the scopes without calling the Key Manager. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.


On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Nuwan Dias
Yes, if we can maintain the resources and their respective scopes at the synapse definition, we can avoid doing another call to KM (and the DB) at the point of token validation.

Also Chamod I guess we will have to come up with a design of how to keep those information in the synapse XML. 

On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi all,

We have currently used the AuthenticationAdmin service to authenticate a user given the username and password(Basic Authentication). The next step is to validate whether the scopes bound to a resource are matched with the user roles. In this case, we might have to access the KeyManager several times as mentioned below.

1) Validate user based on username and password
2) To check whether the resource has a scope and if so request the scopes
3) Request user roles if scopes are bound to the resource

We thought we can minimize the performance degradation which can happen due to multiple requests to the Key Manager as below.

Solution :

When a user publishes an API, the scopes bound to the API should be added to the Synapse-config. Then, at the runtime we can read the synapse configuration of API to check whether the resource has a scope bound and if so what are the scopes without calling the Key Manager. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.


On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Chathura Ekanayake
[hidden email] if we send username, password and resource to the KM, can't we get the required result from a single call to KM?

Agree with Nuwan that we can reduce a DB call at KM if we store scopes in synapse definition. Then we can sent username, password and scope (instead of resource) to the KM.

On Thu, Feb 21, 2019 at 2:33 PM Nuwan Dias <[hidden email]> wrote:
Yes, if we can maintain the resources and their respective scopes at the synapse definition, we can avoid doing another call to KM (and the DB) at the point of token validation.

Also Chamod I guess we will have to come up with a design of how to keep those information in the synapse XML. 

On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi all,

We have currently used the AuthenticationAdmin service to authenticate a user given the username and password(Basic Authentication). The next step is to validate whether the scopes bound to a resource are matched with the user roles. In this case, we might have to access the KeyManager several times as mentioned below.

1) Validate user based on username and password
2) To check whether the resource has a scope and if so request the scopes
3) Request user roles if scopes are bound to the resource

We thought we can minimize the performance degradation which can happen due to multiple requests to the Key Manager as below.

Solution :

When a user publishes an API, the scopes bound to the API should be added to the Synapse-config. Then, at the runtime we can read the synapse configuration of API to check whether the resource has a scope bound and if so what are the scopes without calling the Key Manager. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.


On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Rajith Roshan
What if we include the scopes as properties when generating synapse definition. In each resource we can add properties where property key  identifies the resource uniquely and property value specifies the scopes.
In synapse config if the same resource path is used with multiple http methods, then only one <resource> tag will be created. So in property key value we should incorporate http method and resource path both in order to uniquely identify the resource.

On Tue, Feb 26, 2019 at 11:13 AM Chathura Ekanayake <[hidden email]> wrote:
[hidden email] if we send username, password and resource to the KM, can't we get the required result from a single call to KM?

Agree with Nuwan that we can reduce a DB call at KM if we store scopes in synapse definition. Then we can sent username, password and scope (instead of resource) to the KM.

On Thu, Feb 21, 2019 at 2:33 PM Nuwan Dias <[hidden email]> wrote:
Yes, if we can maintain the resources and their respective scopes at the synapse definition, we can avoid doing another call to KM (and the DB) at the point of token validation.

Also Chamod I guess we will have to come up with a design of how to keep those information in the synapse XML. 

On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi all,

We have currently used the AuthenticationAdmin service to authenticate a user given the username and password(Basic Authentication). The next step is to validate whether the scopes bound to a resource are matched with the user roles. In this case, we might have to access the KeyManager several times as mentioned below.

1) Validate user based on username and password
2) To check whether the resource has a scope and if so request the scopes
3) Request user roles if scopes are bound to the resource

We thought we can minimize the performance degradation which can happen due to multiple requests to the Key Manager as below.

Solution :

When a user publishes an API, the scopes bound to the API should be added to the Synapse-config. Then, at the runtime we can read the synapse configuration of API to check whether the resource has a scope bound and if so what are the scopes without calling the Key Manager. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.


On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Rajith Roshan | Senior Software Engineer | WSO2 Inc.
(m) +94-717-064-214 |  (e) [hidden email]


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication for APIM Gateway

Chamod Samarajeewa
Hi all,

What we have currently decided is to add a property to the APIAuthenticationHandler(in the synapse-config) which declares a Base64 encoded JSON object. This JSON object contains scopes and roles of all the resources in the API. So that we can access the property value at the handler and check the roles of the user with the roles which are mapped to the scopes of the resource request. Thank you.

Best regards,
Chamod.

On Tue, Feb 26, 2019 at 11:58 AM Rajith Roshan <[hidden email]> wrote:
What if we include the scopes as properties when generating synapse definition. In each resource we can add properties where property key  identifies the resource uniquely and property value specifies the scopes.
In synapse config if the same resource path is used with multiple http methods, then only one <resource> tag will be created. So in property key value we should incorporate http method and resource path both in order to uniquely identify the resource.

On Tue, Feb 26, 2019 at 11:13 AM Chathura Ekanayake <[hidden email]> wrote:
[hidden email] if we send username, password and resource to the KM, can't we get the required result from a single call to KM?

Agree with Nuwan that we can reduce a DB call at KM if we store scopes in synapse definition. Then we can sent username, password and scope (instead of resource) to the KM.

On Thu, Feb 21, 2019 at 2:33 PM Nuwan Dias <[hidden email]> wrote:
Yes, if we can maintain the resources and their respective scopes at the synapse definition, we can avoid doing another call to KM (and the DB) at the point of token validation.

Also Chamod I guess we will have to come up with a design of how to keep those information in the synapse XML. 

On Thu, Feb 21, 2019 at 2:27 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi all,

We have currently used the AuthenticationAdmin service to authenticate a user given the username and password(Basic Authentication). The next step is to validate whether the scopes bound to a resource are matched with the user roles. In this case, we might have to access the KeyManager several times as mentioned below.

1) Validate user based on username and password
2) To check whether the resource has a scope and if so request the scopes
3) Request user roles if scopes are bound to the resource

We thought we can minimize the performance degradation which can happen due to multiple requests to the Key Manager as below.

Solution :

When a user publishes an API, the scopes bound to the API should be added to the Synapse-config. Then, at the runtime we can read the synapse configuration of API to check whether the resource has a scope bound and if so what are the scopes without calling the Key Manager. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.


On Sat, Feb 16, 2019 at 9:10 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi Harsha,

Yes, the user can expose API either OAuth, Basic auth or even both with this implementation. Thank you.

Best Regards,
Chamod. 

On Fri, Feb 15, 2019 at 9:34 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 9:07 PM Chamod Samarajeewa <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 5:18 PM Harsha Kumara <[hidden email]> wrote:
Hi Chamod,

Can user choose to expose API either OAuth or Basic authentication with this implementation?

We need to provide basic authentication agaist user store configured in the key manager. Because most of the timee, gateway won't share user stores. Please add the local user store authentication support as well. We need to look for possible caching mechanism for this.

Since we do have mutual authentication as a security scheme, check the best way of providing the basic authentication

Thanks,
Harsha 

On Fri, Feb 15, 2019 at 4:59 PM Chamod Samarajeewa <[hidden email]> wrote:
Adding [hidden email].


---------- Forwarded message ---------
From: Nuwan Dias <[hidden email]>
Date: Fri, Feb 15, 2019 at 3:01 PM
Subject: Re: Basic Authentication for APIM Gateway
To: Chamod Samarajeewa <[hidden email]>
Cc: Architecture Team <[hidden email]>, APIM Team <[hidden email]>


Chamod, this email should be sent to [hidden email].

Thanks,
NuwanD.

On Fri, Feb 15, 2019 at 2:37 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I have included the information in the Github issue here as well.

Requirements


Provide authentication for APIM Gateway with basic authentication which uses usernames and passwords.

Introduction


Providing feature of enabling basic authentication security schema to product APIM Gateway along with OAuth2 token-based authentication. The user will be benefited with using only OAuth2 token based authentication alone, using basic authentication alone and using both schemas at the same time.


Approach


Basic Auth - APIM-GW-2.jpg

curl -k -X GET "https://10.100.0.201:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic $(echo -n username:password | base64)"


The API Authentication Handler will forward the request to Basic Auth Authenticator or OAuth Authenticator based on the authorization header of the request.

Thank you. Regards.

On Fri, Feb 15, 2019 at 2:20 PM Chamod Samarajeewa <[hidden email]> wrote:
Hi All,

I'm working on developing a new feature for APIM Gateway to provide Basic Authentication support. You can find the details in the following Github issue [1]. 

I would really appreciate any feedback. Thank you. 

Best regards,
Chamod.

--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Harsha Kumara

Associate Technical Lead, WSO2 Inc.
Mobile: +94775505618
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business


--
Nuwan Dias | Director | WSO2 Inc.
(m) +94 777 775 729 | (e) [hidden email]
Signature.jpg
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Rajith Roshan | Senior Software Engineer | WSO2 Inc.
(m) +94-717-064-214 |  (e) [hidden email]

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Chamod Samarajeewa | Software Engineer | WSO2 Inc.
(m) +94710397382 | Email: [hidden email]
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture