product-microgateway icon indicating copy to clipboard operation
product-microgateway copied to clipboard

Published 20 hours ago verified publisher icon wso2

Subscription validation for API key is based on an irrelavant param

Open suksw opened this issue 2 years ago • 0 comments

Description:

Currently, we enable subscription validation for API key based on the validateSubscription param in the config of the issuer "https://localhost:9443/publisher". During the time we added this change, the reason was to use a parameter that is separate from OAuth token configs. Yet, both API keys and OAuth tokens still has the same issuer (https://localhost:9443/oauth2/token) in its JWT payload.

In OAuth token validation we have the following scenarios.

  1. When sub validation for https://localhost:9443/oauth2/token is set to true, A. Validation of a token with API details (subscribedApis claim)

    • compares these details with the invoked API. Meant for running with keymanagers that are not aware about apps and for standalone mode.

    B. Validation of a token that only has app details (created by resident key manager)

    • validates these apps together with the invoked API - > against the subscriptions details received from control plane. Note: When control plane is enabled, subscription validation for all issuers are always set to true. https://github.com/wso2/product-microgateway/blob/ea0651985b7dfbcbae9547304edfa72496ab4c2b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java#L108

  2. When sub validation for https://localhost:9443/oauth2/token is set to false,

  • when control plane is enabled, updated back to true as given in the link above.
  • when control plane is disabled, any token, as long as signed by the correct private key, can invoke any API.

Currently, for API keys,

  1. when sub validation for "https://localhost:9443/publisher" is set true
  • validation happens as 1. B.
  • This is to make sure that subscription deletion and subscription blocking takes effect even if the API key doesn't expire.
  • Note: The content in the API key token is API-M resident key manager specific, unlike in aouth access tokens. Therefore, we enable subscription validation for API-key by default.
  1. when sub validation for "https://localhost:9443/publisher" is set false
  • validate as 1. A.
  • API-M creates api-keys that has a infinite validity period by default. To make such keys invalid, the cert the alias gateway_certificate_alias must be updated.
  • therefore validating 1.A. way, atleast limits the api-key for one API.

Suggested Fix

Instead of checking the issuer "https://localhost:9443/publisher", check if the control plane is enabled.

  • if control plane is enabled -> validate subscriptions for API key like in 1.B.
  • else -> 1.A.

Steps to reproduce:

Affected Product Version:

Environment details (with versions):

  • OS:
  • Client:
  • Env (Docker/K8s):

Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:

suksw avatar May 03 '22 13:05 suksw