I'm trying to create an unprotected API in an API Product but it always asks for credentials.
I realized that, when you add a resource in API Product, this resource inherits source API configuration, so if I disable security to specific path, it is supposed to replicate this configuration to resource at API Product level because security config is disabled in API Product.
For example, let's suppose there is an API called /user/add and it is unprotected. Then I add this api to API product with API key security. When I call API /user/add, without any security header it works property but when I call it through api product /apiproduct/user/add, access is denied.
Thanks in advance
Related
So I tried finding out about this in general (on a conceptual level but still not many results).
What I want is that different users will be provided with a public API and they can only use it if they have their API key (a common thing done by many existing products/companies).
I read that we can create a custom API key on the API gateway which we then can pass along with the headers or query params and it can be verified either via Cognito/Custom Lambda Authorizer, but according to my understanding that is the only API key which will be shared by all users.
I want each user to have their own API key and use that every time they want to make a request through the API.
I read about creating custom API via API gateway on the AWS console itself or configuring Serverless.yml and adding private:true in lambda config and while deploying it will generate an API key (but again this is not user-specific, so any user can use this to make calls to the API). (Referred to this video here)
Also, I have used Cognito as an authorizer but there the flow was different in the sense that the user logged in and got an ID-Token which I used as authentication (which gets expired too). But here I want just to generate an API key that users can simply use anytime and anywhere.
I have set up an API GW with multiple resources, one requiring an API Key and the other one not requiring an API Key as shown below.
The Swagger resource is configured to not need an API Key, while the other resource has been set up to require one.
The API is deployed to a stage using a usage plan which has an API Key attached to it.
With this setup, however, I see that unless I pass a valid key in the header for the Swagger resource the call fails with 403 forbidden.
Did I miss a step somewhere?
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
We're trying to make Salesforce send a message to one of our APIs through WSO2 API Manager 1.9.0. However, it seems that Salesforce is unable to authenticate and recommends using IP-restrictions.
So, is it possible to allow an anonymous/unauthenticated user to use an API in API Manager? IP-restriction I can take care of with firewalls, I don't have to do that in API Manager.
When you create an API, in the Manage tap, you can select No Authentication for an API resource. Then you will be able to access the API resource without access token. See my answer for the similar question.
I'm using SWO2 API Manager 1.4.0. When user logs in to API Store and opens API with visibility "Restricted By Roles", it asks user's credentials again.
It happens when Swagger loads api-doc.json from
/registry/resource/_system/governance/apimgt/applicationdata/api-docs/ApiName-Version/api-doc.json
and receives code 401 in answer.
The question is: how should I configure API Manager to make it use user's credentials for any calls to Governance Registry?
We give anonymous permissions for the swagger json resource when creating the API. So I am not sure how this issue is appearing to you. Can you please check what is the permission assigned for the api-doc.json? This can be checked by accessing the resource through registry browser in management console and expanding the Permissions.