As per documentation
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message.
link
I want to pass this token to the backend for every published API. What is the correct place to configure such behavior?
Uncomment below configuration in repository/conf/api-manager.xml and set false.
<RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage>
From API Manager version 3.0.0 onwards configuration model has been changed. So any changes done in api-manager.xml get reverted after the server restart.
Now we need to change <API-M_HOME>/repository/conf/deployment.toml
Uncomment and set the following lines:
[apim.oauth_config]
enable_outbound_auth_header = true
enable_outbound_auth_header string
Default: FALSE If TRUE, sends Auth header to the backend as received
from the client.
Related
Whenever I begin to use the AWS_IAM authorizer on my function, my API GET request - which is being made from a web client - receives a No 'Access-Control-Allow-Origin' header is present on the requested resource. and I'm getting a 403 status code. When I remove the aws_iam authorizer, the API request - made via the same web client - succeeds. So I'm pretty sure it's not actually a CORS error since I've double checked that my API has cors enabled. I'm not sure if I'm using the AWS Javascript SDK wrong or if I'm not generating proper roles for AWS_IAM in my serverless.yml config.
When I run the request from postman with my personal access keys from AWS, the request succeeds. When I console.log the keys from the AWS.config.credentials and use those in postman, the request receives an invalid token error message. Maybe I haven't generated the proper role for my federated identity pool?
I'm using aws4 on the front-end to sign the request, and I use axios to make the request.
Any ideas?
Axios will make a pre-flight request. It's an OPTIONS type and expects a 200 response before it will make the GET request. It also needs to return the CORS header:
Access-Control-Allow-Origin: *
Postman won't make the same call automatically but you can use it to test that request. Ensure that your API is accepting OPTIONS request methods for that route and that it returns an empty 200 response with the CORS header and I think you'll be good to go.
AFAIK, the OPTIONS request needn't be authenticated. Just give a green light. It may be the case that your client is making calls to this endpoint as OPTIONS requests that are being authenticated, adding a second layer of confusion, or you may need to add an Access-Control-Allow-Headers to allow an Authorisation type header if AWS is using one.
Hard to give more information without debugging but I would start with an OPTIONS request.
I need to pass Authorization Header from API Manager (WSO2) to my Service Bus Aplication (Oracle).
I saw in another post that I cant do that, because API will validate the token against the key manager and drop that token before calling the back end. (How to pass authorization header in WSO2 OAuth2 and its backend API server Oauth2?)
There's any alternative to pass the token from API Manager to my service bus application?
There's some additional settings for that?
In conf/api-manager.xml, change value of "RemoveOAuthHeadersFromOutMessage" to false. Authorization header will not be removed and you can access it in your sequence, then you can set it to the request header to you backend. Not sure whether this is what you want or not.
One option would be to send same oauth token in another custom header and then by adding a custom mediation sequence in the api manager, set that custom header to Authorization header and then send it to backend server.
https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend.
We are trying to use the API Manager (1.10) to call an existing API (POST) that already uses an Authorization header token. I several things including using mediation according to an article entitled "Pass a Custom Authorization Token to the Backend" and that didn't seem to work.
I finally tried setting the "Auth Type" to "None" which according to documentation should just pass the API call directly to the backend (including the authorization header). This didn't work either. The call gets to the backend service but seems to lose the Authorization header so it throws an 400 error (the same error I get when I leave out the header and call the backend api directly using SoapUI).
Any help would be appreciated!
If you followed the instructions here, it should work.
I have implemented this for several projects and I can attest it did work.
You may turn on wire logs via configuring log4j.properties, inspect the wire log and see what happens.
If you want to have authorization (oauth token validation) at the API gateway as well as want to pass the custom authorization header to back end, you will need to follow the setup described in the documentation[1].
If you want to disable authorization at the API gateway level by setting the authorization type[2] to "none" and want to pass the Authorization header (custom) from client to the back end through the API gateway, you need to do the following steps.
By default, the API gateway will drop the "Authorization" header without sending it to the backend[3]. To send the Authorization header to the backend through the API gateway, uncomment the following property and set its value as "false" in <wso2am-home>/repository/conf/api-manager.xml and
<RemoveOAuthHeadersFromOutMessage>false</RemoveOAuthHeadersFromOutMessage>
[1] https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend
[2] https://docs.wso2.com/display/AM1100/Key+Concepts#KeyConcepts-HTTPmethods
[3] https://docs.wso2.com/display/AM1100/FAQ#FAQ-HowcanIremovetheauthenticationheadersfromthemessagegoingoutoftheAPIGatewaytothebackend
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.
It's possible to pass access token from AM to ESB endpoint? (once AM has validated this access token by header Authorization: Bearer). If I try to parse the transport property of Authorization, in ESB, it has null value. Does AM take out this header before passing the message to ESB endpoint?
Yes, by default it takes out authorization headers. You can keep the oauth headers without removing by, making RemoveOAuthHeadersFromOutMessage false in api-manager.xml. It is commented out by default. So uncomment that and make as false.
<RemoveOAuthHeadersFromOutMessage>false</RemoveOAuthHeadersFromOutMessage>