I'm working with an older (v1.9) version of wso2 and we are trying to basically have an endpoint with optional authentication on it. If the security on the resource is set to None, if a request comes in with a token (authenticated) it does not get sent to the backend. Is there some way to force wso2 v1.9 to do the authentication on such a route and forward the JWT to the backend if there is an Authorization header set?
In API Manager v1.9, by default it removes the Auth header from the message context and it won't pass to the backend service [1].
There is a property called RemoveOAuthHeadersFromOutMessage where you can disable removing this header [2].
But this is a system-wide config and it affects all the APIs in the system. If you set this value to false, for all the APIs it does not drop the Auth header. In that case, you can use a global sequence or custom sequence [3] to drop this auth header selectively.
Another workaround:
You can use a custom handler [4] and apply this handler before the API security handler. In this handler, you can copy the auth header value to a different header and then using a custom sequence you can copy the custom header value to auth header again. In this case you don't need to change the value for RemoveOAuthHeadersFromOutMessage. But in the handler, you have to perform this operation selectively.
[1] - https://github.com/wso2/carbon-apimgt/blob/1.2.5/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/oauth/OAuthAuthenticator.java#L96
[2] - https://docs.wso2.com/display/AM191/Working+with+Access+Tokens
[3] - https://docs.wso2.com/display/AM191/Adding+Mediation+Extensions
[4] - https://docs.wso2.com/display/AM191/Writing+Custom+Handlers
Related
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
I need to pass Authorization Header from API Manager (WSO2) to my Service Bus Aplication (Oracle).
I saw in another post that I cant do that, because API will validate the token against the key manager and drop that token before calling the back end. (How to pass authorization header in WSO2 OAuth2 and its backend API server Oauth2?)
There's any alternative to pass the token from API Manager to my service bus application?
There's some additional settings for that?
In conf/api-manager.xml, change value of "RemoveOAuthHeadersFromOutMessage" to false. Authorization header will not be removed and you can access it in your sequence, then you can set it to the request header to you backend. Not sure whether this is what you want or not.
One option would be to send same oauth token in another custom header and then by adding a custom mediation sequence in the api manager, set that custom header to Authorization header and then send it to backend server.
https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend.
We are trying to use the API Manager (1.10) to call an existing API (POST) that already uses an Authorization header token. I several things including using mediation according to an article entitled "Pass a Custom Authorization Token to the Backend" and that didn't seem to work.
I finally tried setting the "Auth Type" to "None" which according to documentation should just pass the API call directly to the backend (including the authorization header). This didn't work either. The call gets to the backend service but seems to lose the Authorization header so it throws an 400 error (the same error I get when I leave out the header and call the backend api directly using SoapUI).
Any help would be appreciated!
If you followed the instructions here, it should work.
I have implemented this for several projects and I can attest it did work.
You may turn on wire logs via configuring log4j.properties, inspect the wire log and see what happens.
If you want to have authorization (oauth token validation) at the API gateway as well as want to pass the custom authorization header to back end, you will need to follow the setup described in the documentation[1].
If you want to disable authorization at the API gateway level by setting the authorization type[2] to "none" and want to pass the Authorization header (custom) from client to the back end through the API gateway, you need to do the following steps.
By default, the API gateway will drop the "Authorization" header without sending it to the backend[3]. To send the Authorization header to the backend through the API gateway, uncomment the following property and set its value as "false" in <wso2am-home>/repository/conf/api-manager.xml and
<RemoveOAuthHeadersFromOutMessage>false</RemoveOAuthHeadersFromOutMessage>
[1] https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend
[2] https://docs.wso2.com/display/AM1100/Key+Concepts#KeyConcepts-HTTPmethods
[3] https://docs.wso2.com/display/AM1100/FAQ#FAQ-HowcanIremovetheauthenticationheadersfromthemessagegoingoutoftheAPIGatewaytothebackend
I am using WSO2 API manager 1.7. What I want is that when WSO2 API manager gets a REST API call then I want to pass 2 additional parameters to Endpoint gateway API. So e.g. API manager get 3 params then I want to pass 2 more static params to endpoint URL.
how can I achieve that, please help.
Thanks
Parvendra
You can append a sequence to the exposed API and add these parameters in a header. You can add a sequence to the API Manager by following the doc below[1]. Similarly u can add the required header using a header mediator as shown in [2]
[1] https://docs.wso2.com/display/AM170/Adding+Mediation+Extensions
[2] https://docs.wso2.com/display/ESB481/Header+Mediator
WSO2 APIM by default supports OAuth2 for securing APIs. If I want to secure my APIs with other standard mechanisms such as BASIC or custom authorization mechanism(eg: based on xml body elements values of request), what is the approach I should follow?
In documentation it tells about writing a custom handler link . I guess this handler is invoked at transport level which will apply for all the API requests over that transport ??.
Does APIM supports adding other security(eg:Basic) mechanisms for each API when an API is added by publisher? and if so does that happen inside the ESB proxy service sequence or before it hits the proxy service?
The API Manager UI supports only OAuth based security, you can modify the synapse configuration of the API to support Basic auth to validate based on HTTP header. Customer authentication can be supported through handler. A reference to the handler has to be included in each API that you want to secure using the custom logic. This can be done by modifying the synapse config of the API.
You need write custom authentication handler and set as an handler configuration for that specific API