Using WSO2 Api-M On-Prem v3.1.0.
I have set up an API in Publisher with different endpoints for Production and Sandbox.
Using API Key as Application Level Security.
Enabled Security for my GET resource.
In DevPortal I created an Application and set up an subscription for my API.
Generated Sandbox API Key and used "Try Out" in DevPortal.
I can select Key Type "Production" and enter my Sandbox Key, I get OK response from Production endpoint.
Try-Out screenshot
If I change Key Type to Sandbox, I still get response from Production endpoint.
I see in http_access_.YYYY-MM-DD log that both requests are sent to my production endpoint.
Why isn't my request sent to Sandbox when I use Sandbox API-Key as described in documentation:
https://apim.docs.wso2.com/en/3.0.0/learn/api-gateway/maintaining-separate-production-and-sandbox-gateways/
I reproduced this issue in API Manager version 3.1.0. This is a bug and needs to be fixed. I have created a GitHub issue for this. Please check [1].
As a workaround for your scenario, please enable OAuth2 Application level security as well under the Runtime Configurations of your API in Publisher. So both OAuth2 and API Key needs to be selected.
[1] https://github.com/wso2/product-apim/issues/8483
Related
I am trying to follow https://medium.com/#shagihan/configure-auth0-as-external-oauth-provider-for-wso2-apim-3-1-0-4368aa2448e3 with APIM 3.2.0 and just noticed that the above config has no effect on APIM 3.2.0. Even if I set apim.jwt_authenitcation.subscription_validation_via_km to false I am still getting a subscription validation error as below,
{"fault":{"code":900908,"message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}}
So just wanted to confirm whether this has been removed from APIM 3.2.0. Thanks in advance!
Yes, this property is now removed from APIM v3.2.0.
In APIM v3.2.0, we support Auth0 by default and using the admin portal you can configure the Auth0 as the key manager.Please check https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-auth0-connector/#configure-auth0-as-a-key-manager
In APIM v3.2.0 API subscription validation has become mandatory. API subscription details will come to the API gateway via the traffic manager. By going forward, JWT tokens will not contain any API subscription details or any WSO2 specific information.
We're attempting to configure a relatively complicated WSO2 setup in which Identity Server (5.7.0 with KM) authenticates through an OAuth Service Provider, uses the token to secure API Manager (2.6.0) Endpoints, which then cycles through the Enterprise Integrator (6.5.0).
I've followed the steps to configure IS as the Key Manager (https://docs.wso2.com/display/AM260/Configuring+WSO2+Identity+Server+as+a+Key+Manager). This appears to be working, as I can see users in APIM that were configured in IS.
The problem is in the application. In IS I've created an OAuth POC that federates to another authentication provider. I want APIM to understand that application, and be able to use it to subscribe to APIs through the store for users that IS has given roles to. The application doesn't appear in APIM's applications, and I can't figure out how to link the two. I'd like for APIM to understand the token, figure out that it's for the OAuth POC in IS, and then if the user has that role, let them in, else return a 401 or something equivalent. Haven't been able to find someone else with a tutorial or guidance on this setup specifically.
Linking an Oauth2 provider from IS to an APIM application is called by WSO2 as "Out-of-Band provisioning". This guide may bring you a step further in your POC: https://docs.wso2.com/display/AM260/Provisioning+Out-of-Band+OAuth+Clients
I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).
I have successfully integrated external IDP (keycloak) with publisher to do saml based single sign-on. After authentication, it says user is not authorized. From the investigations, For authorization
User DB need to be shared with external idp - this is not possible for my usecase
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
pointing identity server for authorization - how to do it?
also I dont want to integrate IS server
I want answer for above unknown concerns?
it says user is not authorized
which version are you using?
is there anything preventing the authorization, such as required scopes
User DB need to be shared with external idp - this is not possible for my usecase
Usually you need a userstore to manage users and roles, in case of SAML I believe that us not needed. However - you can setup a JDBC userstore and inbound user provisioning (all logged in users will be stored in the database with their attributes and roles)
Sending user roles via saml response - is it possible?, if so what are the claims need to be sent and related configurations
I believe WSO2AM 2.1.0 (other version I don't know) do not read roles directly from the SAML response (there is a environmental property where you could enable that, I cannot find it right now, so just search a little)
However - together with the inbound provisioning it should work (the roles should be stored and updated in the database on each login)
pointing identity server for authorization - how to do it?
What do you mean by that? You could setup an WSO2IS as KM (key manager) where you could do additional authorization (I am still not sure what are you asking here)
We have setup WSO2 API-M v2.1.0 with API-M Analytics v2.1.0 with Postgresql and HAProxy on CentOS. The API analytics reports are being shown as expected from the Publisher and the Store side and even the api availability from the Admin Portal.
This is a distributed set-up comprising separate publisher, store, key manager, traffic manager, gateway manager/worker and analytics. Consul service discovery is providing local DNS resolution.
On the gateway worker we have enabled log analyzer; also HAProxy is forwarding /portal and /shindig to the Admin Portal publisher node.
Also note the publisher was started on its api-publisher product profile, however this resulted in missing alert configurations, see
jira issue.
This is easily resolved by reverting to the default profile; still none of the log analyzer links are being populated when logged into the Admin Portal application.
When attempting any of the Log analyzer links from the Admin Portal the browsers javascript console is displaying the following errors :
"Failed to preload gadget https://<HOSTNAME>/portal/store/carbon.super/fs/gadget/LiveLogViewer/index.xml."
and
"Detailed error: 503 Unable to retrieve spec for https://<HOSTNAME>/portal/store/carbon.super/fs/gadget/LiveLogViewer/index.xml. HTTP error 503"
From the analytics carbon console I can validate my gateway log analzyer configuration from the data explorer seen here
The docs seem to suggest the need to edit js code for the log analyzer??