Add opaque api key validation logic

Author: Naduni Pamudika

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/APIKeyInfo.java

@@ -22,6 +22,8 @@ public class APIKeyInfo {
     private String keyType;
     private String lastUsedTime;
     private String createdTime;
+    private String salt;
+    private String lookupKey;
     private long validityPeriod;
     private byte[] properties;
     private String apiKeyHash;
@@ -68,6 +70,22 @@ public void setCreatedTime(String createdTime) {
         this.createdTime = createdTime;
     }
 
+    public String getSalt() {
+        return salt;
+    }
+
+    public void setSalt(String salt) {
+        this.salt = salt;
+    }
+
+    public String getLookupKey() {
+        return lookupKey;
+    }
+
+    public void setLookupKey(String lookupKey) {
+        this.lookupKey = lookupKey;
+    }
+
     public long getValidityPeriod() {
         return validityPeriod;
     }

components/apimgt/org.wso2.carbon.apimgt.eventing/src/main/java/org/wso2/carbon/apimgt/eventing/EventPublisherType.java

@@ -30,6 +30,7 @@ public enum EventPublisherType {
     GLOBAL_CACHE_INVALIDATION,
     TOKEN_REVOCATION,
     API_KEY_USAGE,
+    API_KEY_INFO,
     ASYNC_WEBHOOKS,
     ORGANIZATION_PURGE,
     LLMPROVIDER_EVENT

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java

@@ -110,7 +110,7 @@ public InboundProcessorResponseDTO authenticate(InboundMessageContext inboundMes
                             apiKey, tenantDomain, payload);
                     ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(payload, inboundMessageContext.getUserIP(),
                             apiContext, apiVersion, inboundMessageContext.getRequestHeaders().
-                                    get(APIMgtGatewayConstants.REFERER));
+                                    get(APIMgtGatewayConstants.REFERER), null);
                     APIKeyValidationInfoDTO apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext, apiVersion,
                             payload, splitToken[0]);
                     String endUserToken = ApiKeyAuthenticatorUtils.getEndUserToken(apiKeyValidationInfoDTO, jwtConfigurationDto,

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/inbound/websocket/Authentication/ApiKeyAuthenticator.java

@@ -26,6 +26,7 @@
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.gateway.GatewayAPIDTO;
 import org.wso2.carbon.apimgt.api.gateway.GraphQLSchemaDTO;
+import org.wso2.carbon.apimgt.api.model.APIKeyInfo;
 import org.wso2.carbon.apimgt.api.model.LLMProviderInfo;
 import org.wso2.carbon.apimgt.api.model.VHost;
 import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
@@ -58,6 +59,7 @@ public class DataHolder {
     private Map<String,Map<String, API>> tenantAPIMap  = new HashMap<>();
     private Map<String, Boolean> tenantDeployStatus = new HashMap<>();
     private Map<String, LLMProviderInfo> llmProviderMap = new HashMap<>();
+    private Map<String, APIKeyInfo> apiKeyInfoHashMap = new HashMap<>();
     private final Map<String, Cache<String, Long>> apiSuspendedEndpoints = new ConcurrentHashMap<>();
     private final ConcurrentMap<String, AbstractAPIMgtGatewayJWTGenerator> jwtGeneratorTenantMap =
             new ConcurrentHashMap<>();
@@ -147,6 +149,35 @@ public static DataHolder getInstance() {
         return Instance;
     }
 
+    /**
+     * Adds a new opaque api key info.
+     *
+     * @param apiKeyInfo the api key info to add
+     */
+    public void addOpaqueAPIKeyInfo(APIKeyInfo apiKeyInfo) {
+
+        apiKeyInfoHashMap.put(apiKeyInfo.getLookupKey(), apiKeyInfo);
+    }
+
+    /**
+     * Returns opaque api key info for the given lookup key
+     *
+     */
+    public APIKeyInfo getOpaqueAPIKeyInfo(String lookupKey) {
+
+        return apiKeyInfoHashMap.get(lookupKey);
+    }
+
+    /**
+     * Removes an opaque api key info.
+     *
+     * @param apiKeyHash the api key hash to remove
+     */
+    public void removeOpaqueAPIKeyInfo(String apiKeyHash) {
+
+        apiKeyInfoHashMap.remove(apiKeyHash);
+    }
+
     public void addApiToAliasList(String apiId, List<String> aliasList) {
 
         apiToCertificatesMap.put(apiId, aliasList);

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/internal/DataHolder.java

@@ -0,0 +1,108 @@
+/*
+ *  Copyright (c) 2026, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 Inc. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.gateway.listeners;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.api.model.APIKeyInfo;
+import org.wso2.carbon.apimgt.gateway.internal.DataHolder;
+import org.wso2.carbon.apimgt.impl.APIConstants;
+
+import javax.jms.JMSException;
+import javax.jms.Message;
+import javax.jms.MessageListener;
+import javax.jms.TextMessage;
+import javax.jms.Topic;
+import java.util.HashMap;
+
+public class OpaqueAPIKeyMessageListener implements MessageListener {
+
+    private static final Log log = LogFactory.getLog(OpaqueAPIKeyMessageListener.class);
+
+    public void onMessage(Message message) {
+
+        try {
+            if (message != null) {
+                if (log.isDebugEnabled()) {
+                    log.debug("Event received in JMS Event Receiver - " + message);
+                }
+                Topic jmsDestination = (Topic) message.getJMSDestination();
+                if (message instanceof TextMessage) {
+                    String textMessage = ((TextMessage) message).getText();
+                    JsonNode payloadData =  new ObjectMapper().readTree(textMessage).path(APIConstants.EVENT_PAYLOAD).
+                            path(APIConstants.EVENT_PAYLOAD_DATA);
+
+                    if (APIConstants.TopicNames.OPAQUE_API_KEY_INFO.equalsIgnoreCase(jmsDestination.getTopicName())) {
+                        if (payloadData.get(APIConstants.NotificationEvent.API_KEY_HASH).asText() != null) {
+                            /*
+                             * This message contains opaque api key data
+                             */
+                            handleOpaqueAPIKeyInfoMessage(payloadData.get(APIConstants.ENCODED_API_KEY_INFO).asText());
+                        }
+                    }
+                } else {
+                    log.warn("Event dropped due to unsupported message type " + message.getClass());
+                }
+            } else {
+                log.warn("Dropping the empty/null event received through jms receiver");
+            }
+        } catch (JMSException | JsonProcessingException e) {
+            log.error("JMSException occurred when processing the received message ", e);
+        }
+    }
+
+    private void handleOpaqueAPIKeyInfoMessage(String apiKeyInfoEvent) {
+
+        if (StringUtils.isEmpty(apiKeyInfoEvent)) {
+            return;
+        }
+        HashMap<String, Object> opaqueApiKeyInfoMap = base64Decode(apiKeyInfoEvent);
+        if (opaqueApiKeyInfoMap.containsKey(APIConstants.NotificationEvent.LOOKUP_KEY) &&
+                opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.LOOKUP_KEY) != null) {
+            APIKeyInfo apiKeyInfo = new APIKeyInfo();
+            apiKeyInfo.setLookupKey((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.LOOKUP_KEY));
+            apiKeyInfo.setApiKeyHash((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.API_KEY_HASH));
+            apiKeyInfo.setApplicationId((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.APPLICATION_ID));
+            apiKeyInfo.setSalt((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.SALT));
+            apiKeyInfo.setKeyType((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.KEY_TYPE));
+            apiKeyInfo.setValidityPeriod((Long) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.VALIDITY_PERIOD));
+            apiKeyInfo.setStatus((String) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.STATUS));
+            apiKeyInfo.setProperties((byte[]) opaqueApiKeyInfoMap.get(APIConstants.NotificationEvent.ADDITIONAL_PROPERTIES));
+            DataHolder.getInstance().addOpaqueAPIKeyInfo(apiKeyInfo);
+        }
+    }
+
+    private HashMap<String, Object> base64Decode(String encodedOpaqueAPIKeyInfo) {
+
+        byte[] eventDecoded = Base64.decodeBase64(encodedOpaqueAPIKeyInfo);
+        String eventJson = new String(eventDecoded);
+        ObjectMapper objectMapper = new ObjectMapper();
+        try {
+            return objectMapper.readValue(eventJson, HashMap.class);
+        } catch (JsonProcessingException e) {
+            log.error("Error while decoding opaque api key event.");
+        }
+        return new HashMap<>();
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/OpaqueAPIKeyMessageListener.java

@@ -51,8 +51,12 @@
 import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 
 import javax.cache.Cache;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.util.Base64;
 import java.util.HashMap;
+import java.util.Properties;
 
 /**
  * This class contains the common utility methods required for API Key authentication.
@@ -279,11 +283,28 @@ public static void checkTokenExpired(boolean isGatewayTokenCacheEnabled, String
      * @throws APISecurityException If the API Key is not allowed to access the API.
      */
     public static void validateAPIKeyRestrictions(JWTClaimsSet payload, String clientIP, String apiContext,
-                                                  String apiVersion, String referer) throws APISecurityException {
+                                                  String apiVersion, String referer, byte[] additionalProperties)
+            throws APISecurityException, APIManagementException {
 
         String permittedIPList = null;
-        if (payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP) != null) {
-            permittedIPList = (String) payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP);
+        String permittedRefererList = null;
+        if (payload != null) {
+            if (payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP) != null) {
+                permittedIPList = (String) payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP);
+            }
+            if (payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER) != null) {
+                permittedRefererList = (String) payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
+            }
+        } else {
+            try {
+                // Taking values from the DB for an opaque API key
+                ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(additionalProperties));
+                Properties props = (Properties) ois.readObject();
+                permittedIPList = props.getProperty("permittedIP");
+                permittedRefererList = props.getProperty("permittedReferer");
+            } catch (IOException | ClassNotFoundException e) {
+                throw new APIManagementException("Error while parsing API key additional properties", e);
+            }
         }
         if (StringUtils.isNotEmpty(permittedIPList)) {
             // Validate client IP against permitted IPs
@@ -304,11 +325,6 @@ public static void validateAPIKeyRestrictions(JWTClaimsSet payload, String clien
                         "Access forbidden for the invocations");
             }
         }
-
-        String permittedRefererList = null;
-        if (payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER) != null) {
-            permittedRefererList = (String) payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
-        }
         if (StringUtils.isNotEmpty(permittedRefererList)) {
             // Validate http referer against the permitted referrers
             if (StringUtils.isNotEmpty(referer)) {

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/ApiKeyAuthenticatorUtils.java

@@ -696,7 +696,11 @@ public static AuthenticationContext generateAuthenticationContext(String tokenSi
         AuthenticationContext authContext = new AuthenticationContext();
         authContext.setAuthenticated(true);
         authContext.setApiKey(tokenSignature);
+        if (payload != null) {
         authContext.setUsername(payload.getSubject());
+        } else {
+            authContext.setUsername(apiKeyValidationInfoDTO.getEndUserName());
+        }
 
         if (apiKeyValidationInfoDTO != null) {
             authContext.setApiTier(apiKeyValidationInfoDTO.getApiTier());
@@ -720,7 +724,7 @@ public static AuthenticationContext generateAuthenticationContext(String tokenSi
             authContext.setGraphQLMaxComplexity(apiKeyValidationInfoDTO.getGraphQLMaxComplexity());
         }
         // Set JWT token sent to the backend
-        if (StringUtils.isNotEmpty(endUserToken)) {
+        if (StringUtils.isNotEmpty(endUserToken) && endUserToken != null) {
             authContext.setCallerToken(endUserToken);
         }
         return authContext;

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java

@@ -827,6 +827,7 @@ private AI() {
     public static final String BLOCKING_CONDITIONS_STREAM_ID = "org.wso2.blocking.request.stream:1.0.0";
     public static final String TOKEN_REVOCATION_STREAM_ID = "org.wso2.apimgt.token.revocation.stream:1.0.0";
     public static final String API_KEY_USAGE_STREAM_ID = "org.wso2.apimgt.api.key.usage.stream:1.0.0";
+    public static final String API_KEY_INFO_STREAM_ID = "org.wso2.apimgt.api.key.info.stream:1.0.0";
     public static final String CACHE_INVALIDATION_STREAM_ID = "org.wso2.apimgt.cache.invalidation.stream:1.0.0";
     public static final String NOTIFICATION_STREAM_ID = "org.wso2.apimgt.notification.stream:1.0.0";
     public static final String WEBHOOKS_SUBSCRIPTION_STREAM_ID = "org.wso2.apimgt.webhooks.request.stream:1.0.0";
@@ -2333,6 +2334,7 @@ public enum RegistryResourceTypesForUI {
     public static final String BLOCK_CONDITION_TYPE = "conditionType";
     public static final String BLOCK_CONDITION_VALUE = "conditionValue";
     public static final String REVOKED_TOKEN_KEY = "revokedToken";
+    public static final String ENCODED_API_KEY_INFO = "encodedApiKeyInfo";
     public static final String REVOKED_TOKEN_EXPIRY_TIME = "expiryTime";
     public static final String EVENT_TYPE = "eventType";
     public static final String EVENT_WAITING_TIME_CONFIG = "EventWaitingTime";
@@ -3286,6 +3288,7 @@ public static class TopicNames {
         public static final String TOPIC_CACHE_INVALIDATION = "cacheInvalidation";
         public static final String TOPIC_KEY_MANAGER = "keyManager";
         public static final String TOPIC_NOTIFICATION = "notification";
+        public static final String OPAQUE_API_KEY_INFO = "opaqueApiKeyInfo";
         public static final String TOPIC_ASYNC_WEBHOOKS_DATA = "asyncWebhooksData";
     }
 
@@ -3360,15 +3363,24 @@ public static class NotificationEvent {
 
         public static final String TOKEN_TYPE = "token_type";
         public static final String USAGE_TYPE = "usage_type";
+        public static final String INFO_TYPE = "info_type";
         public static final String TOKEN_REVOCATION_EVENT = "token_revocation";
-        public static final String API_KEY_USAGE_EVENT = "key_usage";
+        public static final String API_KEY_USAGE_EVENT = "api_key_usage";
+        public static final String API_KEY_INFO_EVENT = "api_key_info";
         public static final String CONSUMER_APP_REVOCATION_EVENT
                 = "consumer_app_revocation_event";
         public static final String SUBJECT_ENTITY_REVOCATION_EVENT
                 = "subject_entity_revocation_event";
         public static final String CONSUMER_KEY = "consumer_key";
         public static final String API_KEY_HASH = "apiKeyHash";
         public static final String API_KEY = "apiKey";
+        public static final String SALT = "salt";
+        public static final String LOOKUP_KEY = "lookupKey";
+        public static final String KEY_TYPE = "keyType";
+        public static final String ADDITIONAL_PROPERTIES = "additionalProperties";
+        public static final String APPLICATION_ID = "applicationId";
+        public static final String VALIDITY_PERIOD = "validityPeriod";
+        public static final String STATUS = "status";
         public static final String EVENT_ID = "eventId";
         public static final String TENANT_ID = "tenantId";
         public static final String TENANT_DOMAIN = "tenant_domain";