<div dir="ltr"><div>Hi Eric,<br><br></div><div>So if I understand you correctly it does not matter if my security sensitive information is configured directly on the endpoint or via a policy.<br></div>Is this related to <a href="https://issues.jboss.org/browse/APIMAN-460">https://issues.jboss.org/browse/APIMAN-460</a>?</div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-01 13:55 GMT+01:00 Eric Wittmann <span dir="ltr"><<a href="mailto:eric.wittmann@redhat.com" target="_blank">eric.wittmann@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Both the endpoint security configuration information *and* all policy configuration information is encrypted prior to storing it in the API Manager database. I believe that any user with the "Service Read" permission can view that information. So any user who is an Organization Owner or a Service Provider member of the organization that owns the service. Of course, you can define your own roles in apiman, so other roles *may* exist which grant that permission.<br>
<br>
-Eric<br>
<br>
On 12/1/2015 3:03 AM, Ton Swieb wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Eric, Marc,<br>
<br>
Thanks for getting back to me.<br>
<br>
Good point about the security implications of using the custom header<br>
policy. I am assuming that the credentials configured for the endpoint<br>
like basic auth en mutal SSL are better secured then the configuration<br>
of a policy.<br>
<br>
What role does someone need to read the custom header policy configuration?<br>
<br>
I am aware that refreshing the token will not be possible with the<br>
current setup. This should not be a problem for now. The tokens will<br>
have a long time to live.<br>
<br>
Regards,<br>
<br>
Ton<br>
<br>
2015-11-30 15:25 GMT+01:00 Eric Wittmann <<a href="mailto:eric.wittmann@redhat.com" target="_blank">eric.wittmann@redhat.com</a><br>
<mailto:<a href="mailto:eric.wittmann@redhat.com" target="_blank">eric.wittmann@redhat.com</a>>>:<br>
<br>
Fair point. Although BASIC Auth probably isn't recommended either. :)<br>
<br>
On 11/30/2015 8:37 AM, Marc Savy wrote:<br>
<br>
I'll take any further stuff to the ticket - but, my understanding is<br>
that Server-To-Server OAuth2 isn't particularly recommended<br>
(Mutual TLS<br>
or similar is preferred).<br>
<br>
That being said, I think you could argue we're just acting as a<br>
client<br>
by proxy, so perhaps it's okay.<br>
<br>
On 30/11/2015 13:33, Eric Wittmann wrote:<br>
<br>
Right - at this point a custom policy is probably the only<br>
reasonable<br>
approach.<br>
<br>
I've added OAuth support between the Gateway and back-end<br>
API as a<br>
feature request here:<br>
<br>
<a href="https://issues.jboss.org/browse/APIMAN-811" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/APIMAN-811</a><br>
<br>
-Eric<br>
<br>
On 11/30/2015 6:31 AM, Marc Savy wrote:<br>
> Hi Ton,<br>
><br>
> Sorry, I forgot to reply to this.<br>
><br>
> In essence, you are correct. There's no in-built<br>
mechanism to achieve<br>
> what you want (i.e. gateway acting as an OAuth2 *client*).<br>
><br>
> You could indeed use the simple header policy to store a<br>
long-lived<br>
> token, but this should not be considered a particularly<br>
secure approach<br>
> (particularly if there's a chance that the token could be<br>
exposed<br>
> somehow - e.g. by a user looking at the policy config in<br>
the UI).<br>
><br>
> The second issue, which you are undoubtedly aware of, is<br>
that there is<br>
> no mechanism to auto-refresh those token(s) once expired.<br>
><br>
> Another option which you could explore is to create a<br>
custom policy<br>
> which does the periodic refreshing of tokens for you.<br>
><br>
> Regards,<br>
> Marc<br>
><br>
> On 18/11/2015 15:11, Ton Swieb wrote:<br>
>> Hi Marc,<br>
>><br>
>> That is correct.<br>
>><br>
>> Regards,<br>
>><br>
>> Ton<br>
>><br>
>> 2015-11-18 16:02 GMT+01:00 Marc Savy<br>
<<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a> <mailto:<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>><br>
>> <mailto:<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a><br>
<mailto:<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>>>>:<br>
>><br>
>> Hi Ton,<br>
>><br>
>> Just to clarify. From what I understand, you're<br>
trying to secure<br>
>> communications between the apiman gateway and<br>
back-end service<br>
>> using<br>
>> OAuth2/OpenID Connect?<br>
>><br>
>> I.e. You are *not* OAuth2 simply between the client<br>
to the apiman<br>
>> gateway.<br>
>><br>
>> Regards,<br>
>> Marc<br>
>><br>
>> On 18/11/2015 14:34, Ton Swieb wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> I am using Apiman 1.1.8.Final and I want to use<br>
a backend<br>
>> service in<br>
>> Apiman which is secured by OAuth.<br>
>> So instead of securing the Apiman side of the<br>
service, using<br>
>> the<br>
>> Keycloak OAuth plugin, Apiman needs forward<br>
calls to a<br>
service<br>
>> implementation that is secured by OAuth. I have<br>
got an OAuth<br>
>> token with<br>
>> a very long time to live (days/weeks/months)<br>
which I can use.<br>
>><br>
>> Currently I only see the option to configure BASIC<br>
>> Authentication or<br>
>> MTLS/Two-Way-SSL on the service implementation.<br>
>> Would it be possible to add the HTTP Simple<br>
Header policy to<br>
>> the<br>
>> service<br>
>> and set the Authorization header with<br>
"Bearer........." or<br>
will<br>
>> that be<br>
>> stripped off by Apiman when forwarding the call<br>
to the<br>
backend<br>
>> service?<br>
>><br>
>> Kind regards,<br>
>><br>
>> Ton<br>
>><br>
>><br>
>> _______________________________________________<br>
>> Apiman-user mailing list<br>
>> <a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a>><br>
>> <mailto:<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a>>><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
>><br>
>><br>
><br>
> _______________________________________________<br>
> Apiman-user mailing list<br>
> <a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a>><br>
> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
><br>
<br>
<br>
<br>
</blockquote>
</blockquote></div><br></div>