I'm a newer in wso2 and having some confusions regarding subscribers who log into the developer portal for subscribe to APIs. In fact,i created a user with the role internal\subscriber and internal\selfsignup and after logging in with this user, I expected that he could only see the APIs created and subscribed to them with the applications created in the /publisher page, but it seems that this user has the possibility to create these own applications and I do not see how to withdraw these privileges. I want it to use also the apps created in /publisher.
Best regards
The question is a little confusing. Please find the basic ideas of API visibility and API subscription availability below.
You can create applications in the devportal or store portal
You can create APIs in the publisher portal
In general, when you create an API in the publisher portal and publish it without any role visibility restrictions, anyone can view those APIs. To view these publicly available APIs in devportal, you don't even have to log in to the devportal. This is can be viewed in anonymous mode.
In case if you have restricted the API visibility in devportal based on roles, then only the users with the allowed roles can view those APIs.
Similar to API visibility, you also can control the API subscription in the devportal. The subscription availability option will only be displayed if there are tenants in your environment.
Please refer to the official document for more details on this topic.
Related
I am using wso2 apim 4.0.0. Some dozen of apis are deployed and published on it by admin user. Consequently the provider of those apis is admin(in wso2 db). The question that I would like to ask is if it possible to change api provider to another user. If it is then how to do that?
I tried to change it directly in wso2am_db (wso2 api manager database), but haven't succeeded.
this is not possible. Provider is user who created api. You can log in like admin, delete your api. Log in(in publisher or restfull api) like a different user and then create/deploy your api.
The API Provider will always be the user who creates the API. Directly updating the tables may result in data inconsistency. If you want to show it as owned by a different user in Developer Portal, you can add that user as Business Owner of the API, under Business Info.
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
I am designing a product which would be deployed to AWS. It will use Cognito for user authentication. It will be a multi-tenant application.
The application has many modules/features. The pricing depends on the features selected by the client.
Please provide guidance on how can I implement a check if the feature is licensed or not. I don't want to put the logic inside each web api endpoint.
You should create an application microservice (callable via a API, but with access locked down to your own application) that receives information such as:
Authenticated User ID
Service wanting to be accessed
Resource-level information in case you want fine-grained access control
The authentication microservice would consult a database, apply appropriate business logic and return a success indicator.
Preferably:
Each request should be logged in an audit trail
If access is denied, return an error message that could hint at the reason why (eg 'This feature is requires subscription to the XYZ module')
Use some form of cache to make the queries super-fast (eg DAX for DynamoDB, or ElastiCache)
Licensing systems can often be more complex than actual applications!
using wso2 AM 1.10 I published an API logged in as the default admin user. I tried to create a new user using the management console and assigned the Subsriber role to that user. However when i log in to the store using that user, the published API is not visible. I made sure that the API is set to public while publishing the API. Also, I dont see the options in the manage tab as described here. https://docs.wso2.com/display/AM1100/Key+Concepts#KeyConcepts-APIvisibilityandsubscription
What could be the reason for the newly created subsriber not able to view the pubslished API? What is the criteria for the API to show up in store for the newly created subscriber?
For APIs to be visible, the API needs to be in published state and the user's role needs to have subscriber permissions.
So I may be barking up the wrong tree here, but I have got the api manager working against rest services and can provision users through LDAP.
I can restrict access to certain services by role.
All good so far, however as many users will authenticate through a SPA (AngularJS) and the application will call multiple Rest Services, what I don't want users to have to do, is go to the store and subscribe to all relevant APIs, I would like the users from the LDAP server to be subscribed to all relevant services and have the roles they have limit access to the service.
Is there a way to have authentication done by just being in the identity store and authorization to be managed by the restrict by role setting.
Does this need scripting, is it a setting, or is it impossible?
Thanks in advance
Your requirement isn't supported OOTB in API Manager, still you can do it with little effort.
API Manager provides REST API to subscribe APIs. You can write a client which call the REST API onbehalf of the user and subscribe him.
Have a look on REST API