API Key Feature

[AmaliMatharaarachchi]

Describe your problem(s)

Provide STS for API Key issuing. #1094
Provide API Key authentication. #1093

As a developer, I would like to invoke my micro gateway API easily without configuring a key manager.

Describe your solution

Issue simple JWTs in Microgateway. A self contained JWT token should be issued by microgateway with secured invocations in mind.

How will you implement it

We can use the API Key(application programming interface key) concept to solve this issue.
The API Key is to be used for authenticating the invocation request.

A self-contained JWT token should be issued as the API key by the Microgateway server without communicating with an external Key Manager. This API key would later use to authenticate the user when invoking an API.

An endpoint secured with basic authentication should be provided to retrieve the API Key.
When invoking with this API Key, API key's sub claim could be used to authenticate the user and validate that the user has the privilege.

---

Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:

[praminda]

@Rajith90 @hasuniea @nuwand @AmaliMatharaarachchi
APIs Keys normally has an expiration time which we can handle with JWT so thats fine. But how exactly are we going to revoke an API Key? For example if an user generates a long living token and that token was stolen, how can we revoke it. Are we planning to use normal jwt token revocation available in MGW 3.x?

[praminda]

We had a discussion on this,

• We can't use MGW to push revoked keys to topic/etcd. Actual key revocation has to happen in the control pane not in the data plane (MGW).
• So the suggestion is to use the normal jwt token revocation feature to enforce API key revocation. However the revoked key should be put into the topic/etcd by a third party. Its not a part of MGW's responsibility.

[AmaliMatharaarachchi]

@Rajith90, @praminda

• The following configurations will be added to the micro-gw.conf.

[jwtTokenConfig]
selfJwtIssuer=false #to enable the self jwt issuer 
selfJwtExpirySeconds=600 #set jwt token expiry time for the issued jwt

• The command would be similar to

curl -X get "https://localhost:9096/token" -H "Authorization: Basic Z2VuZXJhbFVzZXIxOnBhc3N3b3Jk" -k

• The jwt token has the following sections

header - alg, typ, kid
payload - sub, iss, jti, aud, exp, iat, apiKey(which is a custom claim to indicate this is an api key)

[praminda]

Shall we add new toml table inside [jwtTokenConfig] for jwt issuer? Which will look like,

[jwtTokenConfig]
issuer="https://localhost:9443/oauth2/token"
audience="http://org.wso2.apimgt/gateway"
certificateAlias="wso2apim"
[jwtTokenConfig.jwtIssuer]
enabled = true
validityPeriod = 600

[AmaliMatharaarachchi]

@praminda +1 thanks. The conf would look similar to;

[jwtTokenConfig]
issuer="https://localhost:9443/oauth2/token"
audience="http://org.wso2.apimgt/gateway"
certificateAlias="wso2apim"
validateSubscription=false
[jwtTokenConfig.jwtIssuer]
enabled=false
validityPeriod=600
keyStoreAlias="ballerina"

[AmaliMatharaarachchi]

Custom claim "apiKey" will be added to the jwt to indicate when it is an API key.

[AmaliMatharaarachchi]

@nuwand @Rajith90 @praminda
Please correct me if I'm wrong,

1. We don't restrict this API key to a specific API.
   AFAIU, this API key will be valid for any API in a gateway which has the key(in keystore). But it will be only valid for the authenticated user(user in the sub claim).

[AmaliMatharaarachchi]

Please find requested changes as below,

1. Add new config value to enable subscription validation for API Key. It would be disabled by default.
2. No need to differentiate API Key even if it is provided as a bearer token. Hence, remove API Key additional claim "apiKey”.
3. Enable apikey as a security schema in api definition. If only apikey is defined as a security schema in api, it can be invoked with API key header.
4. Provide a lightweight STS for api key generation.
   Provide new endpoint for API key issuer. https://localhost:9095/apikey
   Provide a new config file to configure users and apis for STS.
5. User authentication is not needed for api invocation with the API key.