Subscription Validation¶
The subscription validation is configurable per issuer basis. In order to mandate the subscriptions, subscription validation can be enabled. If validation has failed, it will send an error message with error code 900908.
In Choreo Connect subscription validation can be done in two ways.
-
Self-contained token with
subscribedAPIs
claimTo authorize an API request with the self-contained JWT token under an issuer with subscription validation, the API name and version should be listed under
subscribedAPIs
claim of the JWT token.Note
When an older version of WSO2 API Manager (3.1.* and below) is used as the Key Manager, it sends the subscribed APIs as a list in the JWT under the
subscribedAPIs
claim. Therefore it is required to have the corresponding API name and version listed undersubscribedAPIs
claim to authorize the API request when JWT tokens issued by older API Manager versions are used. -
Event Hub based subscription validation
For JWTs issued by API Manager, to enable subscription validation it requires the Event Hub to fetch Application and Subscription data from WSO2 API Manager.
The latest versions of API manager do not include the
subscribedAPIs
claim in the JWT, instead, subscription validation is done using the[eventhub]
. Refer documentation on Event Hub and Subscription Validation Model to understand how Choreo Connect validates subscriptions using Event Hub.
Configure Subscription Validation¶
You can enable or disable subscription validation using the following configuration and it is disabled by default. Add the following to the <CHOREO-CONNECT_HOME>/docker-componse/choreo-connect/conf/config.toml
file.
-
Configure Event Hub and Key Managers for token authentication.
In order to do subscription validation, the
[eventHub]
must be enabled for the latest versions of API Manager.# Configurations for retrieving API and subscription data from API Manager. [controlPlane] enabled = false serviceURL = "https://apim:9443/" username = "admin" password = "$env{cp_admin_pwd}" environmentLabels = ["Default"] retryInterval = 5 skipSSLVerification = true # Message broker connection URL of the control plane [controlPlane.brokerConnectionParameters] eventListeningEndpoints = ["amqp://admin:$env{cp_admin_pwd}@apim:5672?retries='10'&connectdelay='30'"]
-
Enable subscription validation.
- Enable/disable Subscription Validation for JWT tokens by configuring
validateSubscription
under the corresponding JWT issuer configuration.
[[security.enforcer.tokenService]] name="Resident Key Manager" issuer = "https://localhost:9443/oauth2/token" certificateAlias = "" # URL of the JWKs endpoint jwksURL = "" # Validate subscribed APIs validateSubscription = true # The claim in which the consumer key of the application is coming consumerKeyClaim = "azp" # Certificate Filepath within enforcer certificateFilePath = "/home/wso2/security/truststore/wso2carbon.pem"
- Enable/disable Subscription Validation for JWT tokens by configuring