Decoupling Key Management from WSO2 API Manager
27
Last Updated: Aug. 2015 Amila De Silva Decoupling Key Management from WSO2 API Manager WSO2 API Manager Team
-
Upload
wso2 -
Category
Technology
-
view
355 -
download
0
Transcript of Decoupling Key Management from WSO2 API Manager
Last Updated: Aug. 2015
Amila De Silva
Decoupling Key Management fromWSO2 API Manager
WSO2 API Manager Team
**
About the Presenter
๏ Amila joined WSO2 in September 2012. He is a Associate Technical Lead in the WSO2 API Manager team. In addition to his product development efforts he has provided development support and technology consulting on customer engagements, including customer QuickStart programs.
*
Introduction
*
Introduction
๏ OAuth2 is used for many flows in API Manager- API Store calls KeyManager to Generate CK/CS- Gateway calls KeyManager to validate token
๏ KeyManager delivers OAuth2 functions needed for API Manager
๏ Before 1.9.0, components were tightly coupled with KeyManager
- When creating OAuth Clients weren’t done through standard APIs
- Token issuing/Validation were done by directly accessing DBs.
๏ 1.9.0, allows you plugging in different OAuth2 Providers
*
Why a Third Party OAuth Provider?
● In most of the Deployments, embedded KM will be used● Organisations might be interested in using the existing
one○ Existing one already have OAuth2 support.○ Utilize advanced features.
● Managing two Authorization Servers can cause hassles
○ Organisations have stringent policies when deploying Authorization Servers
○ Bringing in a new server into MZ can be cumbersome● Risk of losing clients, when moving to a new
Authorization Server.
*
Architecture & Implementation
*
What has changed?
*
What has changed...
๏ Keymanager interface to represent an OAuth Provider.- Mapping between Application and OAuth client
maintained by consumer key.๏ Method to fetch Token Details from OAuth Provider
- getTokenMetaData๏ Four methods to register/manage OAuth Clients
- createApplication(OAuthAppRequest oauthAppRequest)- updateApplication(OAuthAppRequest oauthAppRequest)- deleteApplication(String consumerKey) - retrieveApplication(String consumerKey)
*
Registering OAuth Clients
Before Decoupling
*
Registering OAuth Clients...
After Decoupling
*
Retrieving OAuth Clients...
Before Decoupling
*
Retrieving OAuth Clients...
After Decoupling
*
Validating Tokens
Before Decoupling
*
Validating Tokens...
After Decoupling
*
๏ OAuth Provider should support following APIs- An API to create clients which returns Consumer Key with the response.
(createApplication method).
- An API to get client details by passing consumer Key. (
retrieveApplication method).
- An API which can be used to delete clients by Consumer Key.
(deleteApplication method).
- An API to update OAuth Clients - Optional (updateApplication).
- An API which can return details of a token. Response should give validity
of the token, consumer Key and lifetime. (getTokenMetadata method).
Does API Manager Support Any OAuth Provider?
*
What else has changed
๏ Map an existing OAuth client with AM Application.
*
Extending Key Validation
*
Extending Key Validation flow
๏ Gateway Calls APIKeyValidationService to get token validated
- Lot of operations happening inside single method๏ KeyValidationHandler breaks the big method into
smaller parts- validateToken- validateSubscription- validateScopes- generateConsumerToken
*
Extending Key Validation flow...
๏ validateToken- For most cases, existing implementation would work
๏ validateSubscription- Skipping/Changing Domain Validation
๏ validateScopes- Relaxing/Reducing scope restrictions
๏ generateConsumerToken- Create different Types of tokens
*
Usecase : Supporting Basic Auth
๏ Write an Axis2Handler that runs on the Gateway- Call APIKeyValidationService
๏ Extend KeyValidationHandler and override validateToken method
- Validate Credentials๏ Skip validateSubscription - Simply return true๏ Remember to set Token Type and the Tier.
*
Deployment
*
How does the Deployment change?
Before decoupling
*
How does the Deployment change...
After decoupling
*
How does the Deployment change...
Before decoupling
*
How does the Deployment change...
After Decoupling
**
Reference● Explains Architecture and motive behind decoupling - http://blog.
facilelogin.com/2014/10/revamping-wso2-api-manager-key.html
● Integrating APIM with an OAuth Provider - https://docs.wso2.
com/display/AM190/Configuring+a+Third-Party+Key+Manager
● Extending KeyValidation flow - https://amilasnotes.wordpress.
com/2015/06/20/customizing-key-validation-flow/
● Mapping OAuth Clients - https://amilasnotes.wordpress.
com/2015/06/07/provisioning-oauth-clients-created-out-of-band/
Contact us !
