I am using wso2 apim 4.0.0. Some dozen of apis are deployed and published on it by admin user. Consequently the provider of those apis is admin(in wso2 db). The question that I would like to ask is if it possible to change api provider to another user. If it is then how to do that?
I tried to change it directly in wso2am_db (wso2 api manager database), but haven't succeeded.
this is not possible. Provider is user who created api. You can log in like admin, delete your api. Log in(in publisher or restfull api) like a different user and then create/deploy your api.
The API Provider will always be the user who creates the API. Directly updating the tables may result in data inconsistency. If you want to show it as owned by a different user in Developer Portal, you can add that user as Business Owner of the API, under Business Info.
Related
I am using wso2 API manager 3.1.0 I want to create the users and roles programatically. Are there any REST APIs available for the carbon console of the APIM to achieve this? I referred to this document
https://apim.docs.wso2.com/en/next/develop/product-apis/restful-apis/ which has only details of the
REST APIs available for API publisher and devportal mainly.
You can use RemoteUserStoreManagerService SOAP service.
See https://docs.wso2.com/display/IS580/Managing+Users+and+Roles+with+APIs
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
I’ve configured SSO using JDBC user store for: my application, API Store and API Publisher. When I log in to my application and move to API Store or API Publisher, then I am automatically logged in.
I added Facebook to be the additional Identity Provider according to the documentation: https://docs.wso2.com/display/IS570/Configuring+Facebook.
I can log in on my website using Facebook data, however I am not logged in when I move to API Store or API Publisher. I have to click log in and provide data once again in API Store/Publisher.
Is there a possibility to have logging in via Facebook work the same as using JDBC user store?
I'm using WSO2 IS 5.7.0 and API Manager 2.6.0
Thanks.
I'm confused about how end user authentication works with WSO2 AM.
It looks like by default, WSO2 AM acts as the user authentication server for OAuth flows and hence validates user credentials against those entered via the API Store and stored in the Key Manager. But those users are not end users of the destination APIs, but rather developers who've signed up to build apps to use the APIs. That doesn't make sense to me, so maybe I've misunderstood the documentation?
What I need and would think most other API publishers would need is the ability to authenticate end users against an API publisher's user authentication API, and so have WSO2 AM delegate user authentication to such an external authentication API via a redirect (in case of authorization grant or implicit grant flows) or server-server call (in case of resource owner credentials grant).
How would one go about configuring such a setup, and what's the interface between the WSO2 AM and the external authentication API, for both the redirect and server-server interactions? Can you point me to any documentation or samples of such a setup?
thx,
Chris
My perspective on this is that end users consume apps directly, not APIs. App developers build apps that consume APIs. So this conforms to philosophy of WSO2 API Manager, where it is catering to the app developers.
An API publisher's user authentication API is just another API as far as the API Manager is concerned. You can expose this API through API Manager and have users(or apps in my opinion) invoke the API with specified parameters and get a response(In your case user credentials as parameters and a response based on the authentication of those credentials). What an underlying API does is of no concern to API Manager, it simply facilitates the management of the API invocation.
Often apps make authenticated user-specific requests to APIs to service users using the apps. The OAuth2 resource owner password credentials grant is one of a few OAuth grant options used by apps to obtain user-specific OAuth tokens, and it requires authenticating the user's credentials against the API publisher's user authentication API. For reference, here's apigee's documentation on how to do it.
wso2 APIM has four role models-> admin,creator,publisher and subscriber.
so those who have creator and publisher role can create and publish an api in publisher app(they are developers).
and those who have subscriber role can subscribe to api in store and generate the oath token(they are end users).So whenever a user singup from store will be assigned to subscriber role. so those who have only subscription role are endusers of that api.
so when an end user access the api using the token taken from store, he will be authenticated by APIM.
1.https://docs.wso2.com/display/AM160/User+Roles+in+the+API+Manager
I've seen that the WSO2 API manager version 1.4.0 offer the multi tenant capability, but apart from creating a new tenant in the carbon dashboard how can I have the different store and publisher applications for the different tenants.
My expectation is that I can have two different looks for the two tenants (even just applying different theme to the jaggery application), but I'm loosing where do I have to configure the existance of the tenant and How can I operate as a admin#tenant1 or admin#tenant2 to publish and consume in the store the API.
Thanks
Different theme support is not available. But when you publish an API as a tenant, it will be available in that particular tenant store.
If you create a tenant, it will be a tenant admin. And for that tenant, you can create tenant users with different permissions. (That is login as tenant from management console and create users/roles etc..)
I think you can't change the look and feel for each tenant. In multitenancy you can create multiple tenants and each tenant can publish their APIs, so that will affect and available to only that tenant.
You can log into publisher and store using tenant username and tenant password.