Basically What I am trying to create is a application will be registered as service provider which has scope(using OIDC dialect) defined in wso2 identity server. So, when user gets access token he will first invoke wso2 API manager which is integrated with wso2 identity server and wso2 API manager will do the assertion once it gets access token by passing to identity server. After the assertion happens in API manager, API manager will pass the access token to the end web-service. The end web-service will use the wso2 identity server OAuth2 SOAP API for assertion of access token along with claims which should be returned. If the token is active then based on the response claim returned by SOAP API end/target web-service will authenticate and allow/deny for the access.
Currently I am getting the access token by implementing custom grant type which sets the access token for indefinite time. While generating access token I am passing username,client key,client secret based on these parameters I am generating access token.
But now I wanted to create a scope which has set of claims(using OIDC dialect) which is mapped to service provider in identity server and also user will be created based on these claims. So, after generating the token which I have done using custom grant type against user, if the user passes the access token for authentication I need to do the custom assertion/validation of token using the claims of user in wso2 identity server.
So, how can I associate scope with service provider/Oauth2 flow. And also how can I do the validation of token along with claims.
Related
I am using WSO2 Identity Server-5.10.0 and API Manager-3.2.0.
Have created application in devportal and subscribed the APIs to this application.
In Identity server have enabled Role based scope validator for this service provider.
using below API to generate token:
https://IS_host/oauth2/token
After enabling Role based scope validator unable to generate token with scope=apim:subscribe and giving the error invalid scope.
user is assigned with the role -Internal/Subscriber
We are creating Application in Devportal and subscribing APIs to this Application.
We wanted to list the scopes associated with APIs which are subscribed to Particular application. hence we are calling below API to list scopes based on applicationId
https://AM_HOST/api/am/store/v1/applications/{applicationId}
To invoke this API we need to generate Token with scope: apim:subscribe, But after enabling Role based scope validator we are unable to generate token with apim:subscribe.
if we disable Role based scope validator, user will be able to generate token for all the scopes irrespective of roles associated with user.
The apim:subscribe scope is a reserved scope for API Manager REST APIs. Hence, it is not required to create an Application from the Devportal to generate the Tokens with it. You can perform a DCR operation straight to the API Manager to register a client and generate the Access Tokens with the API-M reserved scopes.
Further, I believe that you have configured the IS as the Key Manager by following IS-Connector approach. The Role Based Scope validator feature requires a set of DBs to be shared among the servers.
Hence, the best way to generate the API-M specific scope tokens would be as following
Perform DCR operation to the API Manager instance (not the IS)
This creates a client in the API Manager using the Resident Key Manager of the API Manager and responds back with the consumer credentials (client ID and secret)
Perform Password grant to generate the token using the received consumer credentials
You can learn more on performing the DCR and subsequent calls in Devportal REST API Docs
Hope this helps you to overcome the reported behavior.
Our app implements OAuth 2.0 code grant flow.
In identity server we use Identity Provider with OAuth2/OpenID Connect federated authenticator Azure AD. Azure AD successfully sends access token from login.microsoftonline.com/.../oauth2/v2.0/token endpoint to identity server's callback uri.
IS replaces this token with own value and sends it back to the application. The problem is we need to use original token from Azure to query MS graph API. So the question is how to force IS to keep original access token or is there any way to fetch it somehow from there?
I have an API that I need to call from my react-native fetch method after v4 signing. The API uses lambda proxy as functions.
My API is set to IAM authentication.
The client side app has username/passwd, fb login and exchanges tokens with identity pool to assume a role that has permission to execute-api, etc.
However, when I test API access using POSTMAN and credentials obtained by a loggedin user with valid tokens after exchanging with the federated identity provider, the result is "the token is invalid".
Please inform what am I missing here.
PS The javascript SDK generated for the API does not work in react-native's environment and needs changes.
Thanks.
I am using WSO2 API manager 2.0.0 and WSO2 identity server 5.1.0 to manage my Toolkit REST APIs. Both the servers share an user store and have settings to maintain authentication session. SSO is not configured yet.
Reference:
https://docs.wso2.com/display/IS510/Enabling+Authentication+Session+Persistence
The first step is to authenticate into Toolkit (works) and the next step is to assign location (fails with 401 error). How to maintain a session between the 2 calls?
In WSO2 API Manager, the default authentication mechanism is OAuth2. So you need to send an OAuth2 access token with your REST API calls for authentication.
If you enabled SSO, you get an SAML assertion when you login. Then you can use that assertion to retrieve an access token using the SAML Bearer Grant Type. Documentation can be found here.
I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.