i using wso2 to manager my group's api,so i publish my api to wso2 Publisher. My api has its own authentication by send a bearer token.The swagger document have the authorize button ,but when i import my api definition in wso2 Publisher.the authorize button is disappear.
i have these question
1、How should I send the original beaer token?
2、when i use swagger3 definition,it show some error,swaager3 is not supported by the import function?
anyone has suggesstion?
my wso2 version is: WSO2 API-M v4.1.0
WSO2 API Manager does support Swagger2 and Open API Specification (OAS) 3 and above.
And with regard to Bearer tokens in API Manager, you can generate a bearer token using the DevPortal for your APIs. You need to create a new Applicaiton, and subscribe to your API, and then you can generate a new JWT-based bearer token.
Please check this section in detail - https://apim.docs.wso2.com/en/latest/consume/consume-api-overview/
If your backend is OAUth protected you can use Endpoint security to add OAuth configs to generate a backend bearer token when calling the API. Take a look at this document.. Also if you want to import backend certificates to API Manager take a look at this document.
Related
WSO2 version: WSO2IS-5.7.0
I am doing proof of concept on WSO2 identity server and my goal is to achieve single sign on for the applications.
I generated the JWT token from WSO2 using OAUTH2 token API.
I used the revoke API to revoke the token and i got 200 response.
Again i invoked introspect token API and i got response as active:true but i suppose to get active:false.
This is a known issue in WSO2 Identity Server 5.7.0. It has been reported here and will be fixed in 5.8.0 GA release.
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
I try to develop custom workplace widget for sharepoint. But, in documentation, I does not find how to authenticate users! Only with app access_token or impersonate_token, which is not secure...
Here's an endpoint for generate bearer access_token via sso? Or SAML assertion?
No, you can communicate with Workplace via API only using access_token.
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.
I have the two applications that both support SAML2 SSO using WSO2 Identity Server. During application bootstrap (when still no user request is processed) i need one of the applications to get information from the other using REST call. However this REST call should provide a SAML token for security purposes. I need a way to remotely get SAML2 token and use it for REST calls. I have read a post about rest sts client without esb however i can't find a sample code on how to get a SAML token for my REST calls. What is the way to obtain such SAML token? Is there sample source code?
You can follow this blog [1] get passive STS sample. But if you are using WSO2 Identity server 5.0 user interface bit different than in this blog.
[1] http://dulanja.blogspot.com/2013/09/passive-sts-java-sample-with-wso2.html