In API manager inside store we can create consumer key and consumer secret using generate keys button for an application.I am just digging the java code where its getting generated so that i can try to generate keys using a different identity server not API Manager's default identity server.
I am trying the same in wso2am-2.2.0-update7 version.
Main motive is using the third party identity server for keys and token generation.
Please refer https://docs.wso2.com/display/AM220/Configuring+a+Third-Party+Key+Manager. This contains what you need to do to configure third party IDP as a Key Manager in APIM
Related
How can use WSO2 (5.11) IS to generate JWT with information stored on server that is not WSO2 that is used for autnetication? My use case is to login user via WSO2 IS, but the actual authentication will happen on a different server, not WSO2. In turn this server upon authenticating the user, will call WSO2 to generate JWT with custom data that it sends. If I understand this post correctly, I need to create local authenticator, is this the approach I should take in my use case?
Moreover, if this approach is possible, will I be able to use WSO2 SSO to allow user to access applications on remote server, or is WSO2 SSO strictly for applications running on WSO2 server itself?
Since you need to connect to some external store using REST API, you can write some custom local authenticators and deploy into Identity servicer. You can implement the custom local authenticator to call your store using some REST API and authenticate the user.
[1]https://is.docs.wso2.com/en/5.9.0/develop/writing-a-custom-local-authenticator/
[2]https://github.com/vihanga-liyanage/samples-is-1/tree/master/custom-local-authenticator
[3]https://everything1know.wordpress.com/2019/09/17/wso2-is-custom-local-authenticator/
We're in the process of configuring our suite of WSO2 products in a development environment and we're having a hard time wrapping our heads around IS Key Manager.
What we're going for is an Identity Server (already configured) with an OAuth Service Provider that an external web page can log into. This is already complete, we can get our token through IS just fine.
We now want to take the same token, and pass it to API Manager, and have API Manager understand the token, and the roles within, and approve or deny the API request.
Further in, we want to pass the token to Enterprise Integrator (which API Manager calls) and get info from the token (user info, claims) within a sequence.
IS is configured and working in it's isolated way (tokens generated from it aren't being accepted by APIM). APIM is configured in that it is pointing to an EI API.
EI is only configured in that it has an API with sequences that do stuff.
I've read through these:
https://docs.wso2.com/display/AM260/Key+Concepts#KeyConcepts-KeyManager
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
They suggest a separate Key Manager that all can speak to. Makes sense. But the Key Manager when downloaded is an APIM instance? And looking deeper into the documentation it seems like this Key Manager is meant to REPLACE the traditional Identity Server, which doesn't support our use case (we need a separate Identity Server that can federate freely with others).
I assume I'm not understanding something about the Key Manager configuration properly.
In short:
IS needs to have an OAuth service provider to login to. Once the token is generated there, it will be sent to an APIM endpoint. APIM should understand the roles, and authorize it through. EI should then receive the token from APIM and then also understand the roles and authorize it through.
How can I accomplish this?
I would assume you got to the page where "API Manager" download page. Then you got the download pack named "wso2am-2.6.0.zip"?
There is a link on the same download page under "Other Resources" -> "Identity Server as a Key Manager Pack". You can get the "wso2is-km-5.7.0.zip".
This is almost same as "wso2is-5.7.0.zip", except very few config modification. You could use almost all the IS features in the same way.
This documentation: https://developers.google.com/admin-sdk/directory/v1/quickstart/quickstart-java#step_1_enable_the_admin_sdk_directory_api
Mentions that I need to have client secret, and the code sample lower on that page uses client secret.
However, when i go to APIs and auth/Credentials here https://console.developers.google.com/project/[proj]/apiui/credential#
I only can find clientId and private key instead.
Is there some other place I should get client secret from?
Google API Console is here
APIs and Auth (left)
Credentials Submenu
After I created an OAuth, my information was there.
(by my information was there, I mean successful showing of client secret, etc)
I used wrong type of API, I need web API for that, but I used server API when I was setting up Authentication. Adding web API for authentication added client secret for me.
I'm working with WSO2 Api Manager version 1.6 and I need to obtain by a REST (or SOAP) service the Access Token (of Key Production) of the current suscription of an application.
Is it possible to obtain that key giving as input parameters user/pass of consumer (suscriber) user?
There is token generation and renew method from client side,however you need consumer and secret key to generate this Token.
http://docs.wso2.org/display/AM160/Token+APIs
Months ago I was working on that. I investigate trying with APIKeyMgtSubscriberService?wsdl. Try to call function getApplicationAccessToken by Soap UI. It returns keys you need, but I don't know why in my case returns some keys which are not equal to keys showed on the web interface.
Hope it helps.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji