I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
Related
I am using wso2 apim 4.0.0. Some dozen of apis are deployed and published on it by admin user. Consequently the provider of those apis is admin(in wso2 db). The question that I would like to ask is if it possible to change api provider to another user. If it is then how to do that?
I tried to change it directly in wso2am_db (wso2 api manager database), but haven't succeeded.
this is not possible. Provider is user who created api. You can log in like admin, delete your api. Log in(in publisher or restfull api) like a different user and then create/deploy your api.
The API Provider will always be the user who creates the API. Directly updating the tables may result in data inconsistency. If you want to show it as owned by a different user in Developer Portal, you can add that user as Business Owner of the API, under Business Info.
We are using wso2 apim 2.0
When subscribing to an API, we are assigned a Client ID/Secret which is used to generate the tokens. However, the Client ID is tied to individuals (i.e. each developer on my team is assigned their own Client IDs for the same Aplication). Is there a way for multiple developers to manage application key/secret to access these API's so that they aren't tied to individuals?
You can use the application sharing feature among users of an organization.
So I may be barking up the wrong tree here, but I have got the api manager working against rest services and can provision users through LDAP.
I can restrict access to certain services by role.
All good so far, however as many users will authenticate through a SPA (AngularJS) and the application will call multiple Rest Services, what I don't want users to have to do, is go to the store and subscribe to all relevant APIs, I would like the users from the LDAP server to be subscribed to all relevant services and have the roles they have limit access to the service.
Is there a way to have authentication done by just being in the identity store and authorization to be managed by the restrict by role setting.
Does this need scripting, is it a setting, or is it impossible?
Thanks in advance
Your requirement isn't supported OOTB in API Manager, still you can do it with little effort.
API Manager provides REST API to subscribe APIs. You can write a client which call the REST API onbehalf of the user and subscribe him.
Have a look on REST API
We're trying to make Salesforce send a message to one of our APIs through WSO2 API Manager 1.9.0. However, it seems that Salesforce is unable to authenticate and recommends using IP-restrictions.
So, is it possible to allow an anonymous/unauthenticated user to use an API in API Manager? IP-restriction I can take care of with firewalls, I don't have to do that in API Manager.
When you create an API, in the Manage tap, you can select No Authentication for an API resource. Then you will be able to access the API resource without access token. See my answer for the similar question.
I'm confused about how end user authentication works with WSO2 AM.
It looks like by default, WSO2 AM acts as the user authentication server for OAuth flows and hence validates user credentials against those entered via the API Store and stored in the Key Manager. But those users are not end users of the destination APIs, but rather developers who've signed up to build apps to use the APIs. That doesn't make sense to me, so maybe I've misunderstood the documentation?
What I need and would think most other API publishers would need is the ability to authenticate end users against an API publisher's user authentication API, and so have WSO2 AM delegate user authentication to such an external authentication API via a redirect (in case of authorization grant or implicit grant flows) or server-server call (in case of resource owner credentials grant).
How would one go about configuring such a setup, and what's the interface between the WSO2 AM and the external authentication API, for both the redirect and server-server interactions? Can you point me to any documentation or samples of such a setup?
thx,
Chris
My perspective on this is that end users consume apps directly, not APIs. App developers build apps that consume APIs. So this conforms to philosophy of WSO2 API Manager, where it is catering to the app developers.
An API publisher's user authentication API is just another API as far as the API Manager is concerned. You can expose this API through API Manager and have users(or apps in my opinion) invoke the API with specified parameters and get a response(In your case user credentials as parameters and a response based on the authentication of those credentials). What an underlying API does is of no concern to API Manager, it simply facilitates the management of the API invocation.
Often apps make authenticated user-specific requests to APIs to service users using the apps. The OAuth2 resource owner password credentials grant is one of a few OAuth grant options used by apps to obtain user-specific OAuth tokens, and it requires authenticating the user's credentials against the API publisher's user authentication API. For reference, here's apigee's documentation on how to do it.
wso2 APIM has four role models-> admin,creator,publisher and subscriber.
so those who have creator and publisher role can create and publish an api in publisher app(they are developers).
and those who have subscriber role can subscribe to api in store and generate the oath token(they are end users).So whenever a user singup from store will be assigned to subscriber role. so those who have only subscription role are endusers of that api.
so when an end user access the api using the token taken from store, he will be authenticated by APIM.
1.https://docs.wso2.com/display/AM160/User+Roles+in+the+API+Manager