If my websocket production endpoint is ws://example.com/test/plugins/token=<access token>, is that possible to use the web socket API on WSO2 API manager to map this? Seems that path to resource is not available in WSO2 APIM. If I just map ws://example.com and add the path to resource at the back of given WS URL by APIM, it won't work.
I need to have different token for ws to work.
The example given here has not path to resource:
https://docs.wso2.com/display/AM210/Create+a+WebSocket+API
Related
I have an API that is exposed through WSO2 API Manager, it is secured by OAuth2 so client must pass an apikey, token or credentials in order to get access to resources. So far so good. But now, I'd like to protect backend's endpoint as well. Backend only accepts calls from API Manager (IP security) but it is open, I mean, if someone with access to APIM's host does the call, it will accept since there is no authentication between them.
I would like to use Identity Server to protect backend but according to APIM documentation, supported endpoint security are BASIC or DIGEST.
What is the best approach to implement BASIC/Digest auth in SpringBoot backend and use WSO2 Identity Server as user registry? This way I can centralize every security details to a single solution.
Thanks in advance.
If you use basic auth or any such, your back end might have to do another API call to WSO2 to validate that token. Instead, you can pass a self contained JWT token from the API manager to the backend. So that the back end can validate that the JWT is issued by the API manager it self using using the certificate without relying on anything else.
From this way you can verify if the call was made y API Manager, additionally the end user as well from the JWT content.
Doc : https://apim.docs.wso2.com/en/latest/learn/api-gateway/passing-end-user-attributes-to-the-backend/passing-enduser-attributes-to-the-backend-using-jwt/?fbclid=IwAR1JT9DLOclmA-xw0Ev9C2Xrje5EDGrDBnmMkfDKMcbxTlCLf0swSPucMfA
How to setup wso2 api gateway.
Is it possible to modify/customize behavior of WSO2 gateway
We have our own OAuth server and want to redirect each and every request to OAuth server for authorizing request.
Once request is authorized then gateway should redirect that to back end service/api
We want add some filtering logic as well.
Yes, this is possible with third party key manager support in WSO2 API Manager [1].
The basic idea in here is when generating a token, the token request will go to the OAuth server of yours via the key manager component of API Manager.
When an API request comes in, the gateway send the token validation request to the key manager component of the API manager. From here, you can call the OAuth server of yours to validate the token.
To accomplish your requirement you have to write your logic in Java language. Sample can be found in [2].
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configure-a-third-party-key-manager/#configure-a-third-party-key-manager
https://github.com/wso2-extensions/apim-keymanager-okta/blob/OKTA-OAuth-Client-2.0.0/docs/config.md
Using my API Gateway WSO2, I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token). But I cannot find how to do that.
It's even mentioned on the WSO2 website that by using API publisher (of WSO2 AM) you can only configure your APIs to call services secured with username/password : https://docs.wso2.com/display/AM210/Working+with+Endpoints
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Do you know if there is another way to do this without using the API Publisher ?
Mu browser (SET API Gateway Access-Token) -- API Gatewau WSO2 (SET my Backend services Acess-Token) --> My backend services
Thank you !
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Out-of-box from the API Publisher you can directly authenticate with the backend using Basic authentication (username and password)
Do you know if there is another way to do this without using the API Publisher ?
well - the Publisher app is always involved
I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token)
There are multiple ways how to authenticate with the backend, not all are so straightforward
Basic authentication (this is what you don't want)
JWT token - the API Manager is able to send a signed JWT token with the API calls to the backend and the backend service could authenticate and extract client details from the JWT token.
Using the inbound mediation configuration you could manipulate the request payload and metadata
With the point 3 you should be able to send a custom OAuth/Authorization header. The question is - with what identity provider your service is authenticating/authorizing?
The problem is that there's no unified configuration how your service's client (API manager calling the backend) would fetch / cache / refresh / revoke the token which would work with all possible identity providers.
In theory you could implement the OAuth authentication with external IdP using the inbound mediations (sequences), but I strongly urge do not put anything complex as API mediation for sake of maintainability (been there, done that, screw it badly)
Maybe the simplest option would be having a permanent token you could pass in the HTTP headers, it sounds simple enough.
There is a custom Oauth2 mediator which you can try. https://github.com/imesh/wso2-oauth-mediator
I use AWS Cognito authentication in my web application. I have a PHP backend with REST API. After user authentication I make requests to AWS API Gateway using this library. API Gateway methods has HTTP integration type. They proxy HTTP requests to my PHP backend. How to get Cognito Identity Id in my PHP backend? I need to set a relation reference to the Cognito user in my backend.
API Gateway makes the caller's identity id available in the request context. Assuming you are using Cognito Identity Pool (federation) you are looking for this property: $context.identity.cognitoIdentityId.
You could configure API Gateway to send the value of the identity id in a new header to your backend. To achieve this you have to:
Open the integration request pane of the method configuration
Expand the HTTP headers section and click the "Add header" link
Give you header a name, such as X-Cognito-Identity-Id
In the "mapped from" field use the following expression: context.identity.cognitoIdentityId
Use the checkmark link on the right to save the configuration changes.
Re-deploy the API and your PHP backend should start receiving the additional header populated with the Cognito identity id from the original request.
For those for who the answer provided by #stefano didn't work, you can replace the context variable context.identity.cognitoIdentityId with context.authorizer.claims.sub.
header name: X-Cognito-User-Id //or any name that you prefer
mapped from: context.authorizer.claims.sub // returns cognito user id.
I'm trying to get custom claims from Identity Server via user-info service in WSO2 Identity Server Version 5.3.0.
This is the invocation to the user-info service:
GET https://host:9443/oauth2/userinfo?schema=openid HTTP/1.1
And the response only contains the subject info:
{
"sub": "user#carbon.super"
}
How can I get all the claims of the user via user-info service?
Thanks in advance.
Did you add custom claims as requested claims in Service Provider configurations?
You need to define the claims that should be included in the response. That should be configured in the Claim Configuration of the Service Provider. You can refer (1) for more information.
(1) http://dinukshaish.blogspot.com/2017/02/getting-started-with-oauth-20-using.html