I need to configure a set of apis which are secured and uses client credentials and password alone with client key and secret key.
And how to track the users that are trying to access the API.
I tried by adding proxy mediators.
By default, the API which you will create in WSO2 API Manager will have secure feature.
You can secure the APIs with
oauth which comes inbuilt in the application or
you can integrate the WSO2 Identity Server to be used as Identity Provider for WSO2 APIM.
Below link will show how to create and publish APIs in APIM Manager.
[https://docs.wso2.com/display/AM250/Create+and+Publish+an+API]
Once you are able to invoke the created API, you can check the usage of that API by checking on the Analytics profile for it. You can have it integrated with the API Manager.
Below link is useful to setup Analytics profile for APIM 2.5.0
[https://docs.wso2.com/display/AM250/Configuring+APIM+Analytics/]
Once the Analytics is setup for APIM, you can use the DB to fetch the usage of the APIs.
To solve your query, this is how you should proceed.
You can add a custom sequence in the inflow of the API ( you can do that from API Publisher only by editing it) [https://docs.wso2.com/display/AM260/Adding+Mediation+Extensions]
Sequence Code will be like below:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="custom-sequence_name">
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="accesstoken"
value="put your token here"
scope="transport"
type="STRING"/>
</sequence>
This above one is for token for backend which is static. For dynamic token you can create a sequence accordingly.
This should solve your query :)
For dynamic, go here [How the external authentication handled in WSO2 APIM for an external/Third Party APIs
If your backend is oauth secured then you can use one of the following methods
Method-1
OAuth mediator which can be used for generating OAuth 2.0 tokens and for calling the backends that are secured with OAuth 2.0 protocol. Refer this.
Method-2
writing a mediation sequence which generates an access token for the backend and making a connection to the OAuth 2.0 secured backend.Refer this blog.
Related
i using wso2 to manager my group's api,so i publish my api to wso2 Publisher. My api has its own authentication by send a bearer token.The swagger document have the authorize button ,but when i import my api definition in wso2 Publisher.the authorize button is disappear.
i have these question
1、How should I send the original beaer token?
2、when i use swagger3 definition,it show some error,swaager3 is not supported by the import function?
anyone has suggesstion?
my wso2 version is: WSO2 API-M v4.1.0
WSO2 API Manager does support Swagger2 and Open API Specification (OAS) 3 and above.
And with regard to Bearer tokens in API Manager, you can generate a bearer token using the DevPortal for your APIs. You need to create a new Applicaiton, and subscribe to your API, and then you can generate a new JWT-based bearer token.
Please check this section in detail - https://apim.docs.wso2.com/en/latest/consume/consume-api-overview/
If your backend is OAUth protected you can use Endpoint security to add OAuth configs to generate a backend bearer token when calling the API. Take a look at this document.. Also if you want to import backend certificates to API Manager take a look at this document.
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
We are using WSO2 API Manager 1.10 and WSO2 Identity server 5.1.0 for managing back end REST APIs which will be consumed by Android and iOS application.For a end user(Mobile App user) to access the APIs exposed,process followed is:-
1.User registers to WSO2 IS server using WSO2 SCIM create user API.
2.User request for access token which will be used for accessing the APIs.
We are planning to add Google and facebook sign in feature in our Mobile app which will help end user avoid user creation in WSO2 IS. Does WSO2 API Manager support this sort of implementation? if so,what are the cofiguration changes we need to do to our current setup?
You can achieve this using identity federation. IS will act as key manager as well as it can federate the authentication to facebook/google.
you can find how facebook can be configured to get access token in this blog[1]. Similarly you can add google for federation[2]
[1] http://nuwanzone.blogspot.com/2015/10/getting-access-tokens-for-wso2-api.html
[2] https://docs.wso2.com/display/IS510/Configuring+Google
I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.
I have the two applications that both support SAML2 SSO using WSO2 Identity Server. During application bootstrap (when still no user request is processed) i need one of the applications to get information from the other using REST call. However this REST call should provide a SAML token for security purposes. I need a way to remotely get SAML2 token and use it for REST calls. I have read a post about rest sts client without esb however i can't find a sample code on how to get a SAML token for my REST calls. What is the way to obtain such SAML token? Is there sample source code?
You can follow this blog [1] get passive STS sample. But if you are using WSO2 Identity server 5.0 user interface bit different than in this blog.
[1] http://dulanja.blogspot.com/2013/09/passive-sts-java-sample-with-wso2.html