Inject external Identity Provider into Gatekeeper?

[brylie]

At a meeting with the FIWARE Foundation developers in Berlin, we discussed integrating the FIWARE Identity Management provider within the API Umbrella Gatekeeper.

The Idea would be to use the FIWARE Identity Management component as a store for user data:

@GUI, what are some considerations related to this idea?

cc: @aalonsog @jsalvachua and @fdelavega: what are some clarifications regarding this issue/idea/diagram?

Related to issue/discussion #38

[aalonsog]

The idea is to include the possibility of configuring API Umbrella to check the validity of API Keys in a remote server. Thus, requests sent to the proxy could include an OAuth2 token instead of the API Key and when reaching the validation step in the gatekeeper it sends a validation request to the external IdP.

This OAuth2 token has to be created by the client using any of the OAuth2 grant types defined in the protocol.

Here the diagram:

Note: diagram to be modified in https://bramp.github.io/js-sequence-diagrams/

Title: OAuth2 token validation in API Umbrella
Client -> Proxy: (1) API request
Proxy -> Client: (2) 404 needs authorization
Client->OAuth2 IdP: (3) OAuth2 authentication
OAuth2 IdP->Client: (4) access_token
Client->Proxy: (5) Backend request (X-Auth-Header: access-token)
Note right of Proxy: Starts gatekeeper checks
Proxy -> OAuth2 IdP: (6) Validate access_token
OAuth2 IdP->Proxy: (7) Ok + user info (including roles)
Note right of Proxy: Continues gatekeeper checks
Proxy-->Backend: (8) Send request
Backend-->Proxy: (9) Send response
Note right of Proxy: Process response
Proxy->Client: (10) Send processed response

[GUI]

@aalonsog: Sorry for the delay. I responded over in #38, but we can shift the conversation over here if that would be better.

[aalonsog]

It's ok, let's discuss this there :)