API Manager store. Multiple API Keys - wso2

How can I configure WSO2 API Manager to handle Multiple Authentication API Keys in the store's API Console? I would like it show fields: Authentication and clientId, for example. But it only shows the field for Authentication despite of I built my swagger file with both headers in .
I do handle this Auth headers in my application backend. And I am testing my swagger file in the swagger-editor and works fine (Swagger Editor asking for two API Keys Headers).

Swagger can handle a lot itself, it's only a definition file. It doesn't mean a (any) product must support all options.
WSO2AM reads only the authorization header (Authorization by default, can be changed). The header is cleared before sending to the backend.
If you want to be able sending a custom header to the backend from the API Store, you can define a header parameter (not as an api key)
WSO2AM can be configured to send a JWT token to the backend with client information, that's how backend can get and validate the identity information.

Related

How to get app config data from a file in s3 bucket before user logged in to the app for a multi-tenant application?

I am using s3-bucket to store app config data for multi tenant application. I need tenant info saved in public file(.json) in s3-bucket before client is logged in to the application. For example, app config data might be client logo and some custom title/sub-title for each tenant and etc. I am trying to fetch file content based on sub-domain.
So, I need to fetch the client data, while rendering the login component itself. I am using aws-sdk tool in client side, but am facing 'missing credentials` error.
I am not getting, How to achieve this??
thanks and regards
SHASHIDHAR N K
The AWS SDK for Javascript uses the S3 rest API in such a way that it requires a GET request to be authorized. This is because it uses request parameters to override response header values and for these the rest API documentation for GET says:
Note - You must sign the request, either using an Authorization header or a pre-signed URL, when using these parameters. They cannot be used with an unsigned (anonymous) request.
However, you don't need to use S3 to get a public file, you can make a standard http request using XMLHttpRequest or suchlike.

can i Validate access tokens sent by third-party OAuth 2.0 Authorization Server in wso2 api manger while calling API

I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value

Push user SAML attributes to backend service via WSO2 API Manager

I am using WSO2 API Gateway to service API calls. The backend requires custom user attributes (username, e-mail, etc.) to be sent as part of the query string in the URL. The values for the query string pairs will be provided in the SAML2 token embedded in the API call.
How can a mediator access these custom SAML2 attributes?
You can create a custom mediator or custom handler to parse the saml token and set it to a header or something . see Writing Custom+Handlers for sample handler which reads a header .

How to pass Authorization Header WSO2 (API Manager) to my backend service?

I need to pass Authorization Header from API Manager (WSO2) to my Service Bus Aplication (Oracle).
I saw in another post that I cant do that, because API will validate the token against the key manager and drop that token before calling the back end. (How to pass authorization header in WSO2 OAuth2 and its backend API server Oauth2?)
There's any alternative to pass the token from API Manager to my service bus application?
There's some additional settings for that?
In conf/api-manager.xml, change value of "RemoveOAuthHeadersFromOutMessage" to false. Authorization header will not be removed and you can access it in your sequence, then you can set it to the request header to you backend. Not sure whether this is what you want or not.
One option would be to send same oauth token in another custom header and then by adding a custom mediation sequence in the api manager, set that custom header to Authorization header and then send it to backend server.
https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend.

API Manager passing JWT to backend service

A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.