I am trying to follow https://medium.com/#shagihan/configure-auth0-as-external-oauth-provider-for-wso2-apim-3-1-0-4368aa2448e3 with APIM 3.2.0 and just noticed that the above config has no effect on APIM 3.2.0. Even if I set apim.jwt_authenitcation.subscription_validation_via_km to false I am still getting a subscription validation error as below,
{"fault":{"code":900908,"message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}}
So just wanted to confirm whether this has been removed from APIM 3.2.0. Thanks in advance!
Yes, this property is now removed from APIM v3.2.0.
In APIM v3.2.0, we support Auth0 by default and using the admin portal you can configure the Auth0 as the key manager.Please check https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-auth0-connector/#configure-auth0-as-a-key-manager
In APIM v3.2.0 API subscription validation has become mandatory. API subscription details will come to the API gateway via the traffic manager. By going forward, JWT tokens will not contain any API subscription details or any WSO2 specific information.
Related
I want to use keycloak as keymanager with wso2 apim 4.0 . I did configure keycloak as key manager using manual steps mentioned in below doc.
[https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/][1]
I successfully tested this integration of APIM and Keycloak. But now I want to automate this process. I am looking for a REST API of admin portal in APIM which will provide the functionality of adding keycloak as keymanager. I referred to the below link
[https://apim.docs.wso2.com/en/latest/reference/product-apis/admin-apis/admin-v2/admin-v2/#tag/Roles][1]
But I could not find any API here which will allow me to add keycloak as keymanager. Please help me to find this API
Here is the key manager rest API - https://apim.docs.wso2.com/en/latest/reference/product-apis/admin-apis/admin-v2/admin-v2/#tag/Key-Manager-(Collection)/paths/~1key-managers/post
Using WSO2 Api-M On-Prem v3.1.0.
I have set up an API in Publisher with different endpoints for Production and Sandbox.
Using API Key as Application Level Security.
Enabled Security for my GET resource.
In DevPortal I created an Application and set up an subscription for my API.
Generated Sandbox API Key and used "Try Out" in DevPortal.
I can select Key Type "Production" and enter my Sandbox Key, I get OK response from Production endpoint.
Try-Out screenshot
If I change Key Type to Sandbox, I still get response from Production endpoint.
I see in http_access_.YYYY-MM-DD log that both requests are sent to my production endpoint.
Why isn't my request sent to Sandbox when I use Sandbox API-Key as described in documentation:
https://apim.docs.wso2.com/en/3.0.0/learn/api-gateway/maintaining-separate-production-and-sandbox-gateways/
I reproduced this issue in API Manager version 3.1.0. This is a bug and needs to be fixed. I have created a GitHub issue for this. Please check [1].
As a workaround for your scenario, please enable OAuth2 Application level security as well under the Runtime Configurations of your API in Publisher. So both OAuth2 and API Key needs to be selected.
[1] https://github.com/wso2/product-apim/issues/8483
We're attempting to configure a relatively complicated WSO2 setup in which Identity Server (5.7.0 with KM) authenticates through an OAuth Service Provider, uses the token to secure API Manager (2.6.0) Endpoints, which then cycles through the Enterprise Integrator (6.5.0).
I've followed the steps to configure IS as the Key Manager (https://docs.wso2.com/display/AM260/Configuring+WSO2+Identity+Server+as+a+Key+Manager). This appears to be working, as I can see users in APIM that were configured in IS.
The problem is in the application. In IS I've created an OAuth POC that federates to another authentication provider. I want APIM to understand that application, and be able to use it to subscribe to APIs through the store for users that IS has given roles to. The application doesn't appear in APIM's applications, and I can't figure out how to link the two. I'd like for APIM to understand the token, figure out that it's for the OAuth POC in IS, and then if the user has that role, let them in, else return a 401 or something equivalent. Haven't been able to find someone else with a tutorial or guidance on this setup specifically.
Linking an Oauth2 provider from IS to an APIM application is called by WSO2 as "Out-of-Band provisioning". This guide may bring you a step further in your POC: https://docs.wso2.com/display/AM260/Provisioning+Out-of-Band+OAuth+Clients
I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).
I am using WSO2 API manager 2.0.0 and WSO2 identity server 5.1.0 to manage my Toolkit REST APIs. Both the servers share an user store and have settings to maintain authentication session. SSO is not configured yet.
Reference:
https://docs.wso2.com/display/IS510/Enabling+Authentication+Session+Persistence
The first step is to authenticate into Toolkit (works) and the next step is to assign location (fails with 401 error). How to maintain a session between the 2 calls?
In WSO2 API Manager, the default authentication mechanism is OAuth2. So you need to send an OAuth2 access token with your REST API calls for authentication.
If you enabled SSO, you get an SAML assertion when you login. Then you can use that assertion to retrieve an access token using the SAML Bearer Grant Type. Documentation can be found here.