Skip to content

Admin Defined Constraints for Key Manager Application Configurations #4663

New issue
New issue
Open
Feature
Open
Admin Defined Constraints for Key Manager Application Configurations#4663
Feature
wso2/carbon-apimgt
#13573
 (+1)
Assignees
manodyaSenevirathne
Labels
Type/Improvement
@manodyaSenevirathne

Description

@manodyaSenevirathne
manodyaSenevirathne
opened on Jan 27, 2026

Current Limitation

Developers can configure application settings, such as token expiration parameters, without sufficient oversight or enforced restrictions, which poses security risks to the organization. Currently, there is no effective mechanism for administrators to enforce constraints over these application-level configurations.

Suggested Improvement

Enhance the Admin Portal Key Manager Configuration and the Developer Portal key generation workflow to include a mechanism to define and enforce security guardrails that provides:

  • Configurable Guardrails: A new section within the New Key Manager settings where administrators can set rules for application properties.

  • Input Constraints: Ability to define specific limits for fields defined in the connector, such as:

    • Range Limits: Minimum and maximum allowed values for token expiry times (e.g., Application, User, and Refresh tokens).

  • Check during the "Generate Keys" process that compares the developer’s input against the rules set by the administrator.

  • Instant Feedback: Immediate rejection of requests that do not meet the criteria, with clear error messages explaining why the validation failed.

  • Flexible Rule Types

Version

4.7.0

Metadata

Metadata

Assignees

Labels

Type/Improvement

Type

Feature

Projects

APIM 4.7.0

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions