I have a secured API with OAuth and I have no other authorization mechanism (Basic Auth/ Digest Auth).
Based on article https://apim.docs.wso2.com/en/latest/learn/design-api/endpoints/endpoint-types/:
"You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password (Basic Auth/ Digest Auth)."
Are there any plans to implement this feature in WSO2?
Although this feature is not available OOB, you can get this done via a mediation extension. Please check this article [1] where it explains on how to invoke a backend that is secured by OAuth2.
Currently, this feature is under development and will be adding to the product in the next release.
[1] - https://medium.com/#menakajayawardena/wso2-how-to-using-oauth2-protected-back-ends-with-api-manager-5d7e234c61c
Related
From the Google Doc, I see below are the options to fetch an access token for the directory API
Web server applications i.e Client Credentials
Installed applications (Mostly same as Client Credentials approach
which we currently support but with the use of applications
installed)
Client-side (JavaScript) applications (For JavaScript applications
that run in a browser)
Applications on limited-input devices (For Limited-input devices such
as TV, game consoles, video cameras, and printers)
Service Account
Reference Doc:
https://developers.google.com/identity/protocols/oauth2
Is there any API to Fetch an access token from SAML bearer assertion for the directory API and if yes then what information does this API needs and is there any Doc to do so
Example Directory API for which I am looking to connect -
Directory API used for user creation: https://www.googleapis.com/admin/directory/v1/users
Answer:
Unfortunately, at current Google doesn't support client authorization and authentication for their APIs via SAML 2.0 Profiles.
More Information:
As you've already pointed out, the only supported methods of fetching an access token at the present time are those mentioned in the documentation page titled "Using OAuth 2.0 to Access Google APIs".
Feature Request:
You can however let Google know that this is a feature that is important for access to their APIs, and that you would like to request they implement it.
Google's Issue Tracker is a place for developers to report issues and make feature requests for their development services, I'd urge you to make a feature request there. While there is no component for general OAuth2 or Authentication methods, given your requirements I would suggest filing it under the Admin SDK component which you can find here
References:
Using OAuth 2.0 to Access Google APIs | Google Identity Platform
Further Reading:
RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile
for OAuth 2.0 Client Authentication and Authorization Grants
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
I'm interested in using only the Publisher and the Store. We have already many API gateways in place and also a dedicated OAuth Authorization Server.
The Publisher and the Store should be used basically as an API Portal where APIs are published and potential new consumers can self-register...
I understand that all necessary information is distributed within the WSO 2 API Manager ecosystem out-of-the-box. But could this behaviour be adjusted in the following way:
When publishing an API it must be created on an external, third-party API Gateway. This gateway has it's own management API which must be triggered by the Publisher.
When a new consumer registers to an API the external, third-party OAuth authorization server must be called in order to create the necessary OAuth information there so that the new consumer is known on the Authorization Server. Again, the Authorization Server has it's own management API which must be triggered by the Store.
Is it possible to add custom fields in the Store which allows a consumer to enter additional information?
Any feedback is highly appreciated!
To answer your question on thrid party gateways, WSO2 API Manager does not support this at the moment.
But we do support incorporating a third party Key manager. You can plug a third-party OAuth provider to manage OAuth clients and access tokens. This is supported from API manager 1.9.0 onwards.
You may need to implement a key manager extention to incorporate your OAuth Authorization Server. WSO2 API manager includes a key manager extention to 'Surf OAuth Authorization Server' by default.
You can find more details on configuring a thrid party Key manager at [1] and [2]
To answer your question on adding custom fields, yes, you can include custom fields by customizing the store with a sub theme [1] [2]
[1] https://docs.wso2.com/display/AM1100/Configuring+a+Third-Party+Key+Manager
[2] https://docs.wso2.com/display/AM1100/Extending+Key+Validation
[3] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme
[4] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme#AddinganewAPIStoreTheme-Writingasubthemeofthemaintheme
I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.
I'm considering securing a whole Java EE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.
As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?
Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?
You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.
The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.
In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.
You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.