<property name="authheader" expression="get-property('transport','X-JWT-Assertion')"></property>
I am not getting value from authheader, added this code in wso2 sequence in flow to get scim id at the end service.
Please make sure you have enabled JWT token generation in your deployment as given in [1].
[1] https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
Related
I need this feature in WSO2 Publisher or Devportal:
I have one api that need dynamic access token and Also I have another api with static Basic Authentication to provide that dynamic Access Token. Unfortunately I could not solve this with mediation. The policy is simple But I don't know whether WSO2 has this simple feature or not?
process: token api with basic Auth ==> provide dynamic access token ==> use access token in main api body and send.
Main API is our Endpoint in WSO2 API.
I could not solve this with Endpoint Security(Oauth2) and mediation(XML).
Version of WSO2-AM is 4.1.0 and this version is latest now.
Have you thought about using a vault, such as Hashicorp Vault, to fetch the the basic auth credentials.
From there use a custom sequence [2] that gets the token (step 1 in your diagram) and then get the token check results you need (step 2).
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/mi-setup/security/using-hashicorp-secrets/
[2] https://apim.docs.wso2.com/en/latest/reference/mediators/sequence-mediator/
When I was trying "JSON/XML Threat Protection for API Gateway" in WSO2 APIM 3.1.0, by adding a mediation policy. It isn't considering the custom policy that I've written, it's taking the default values which are 100.
Anything more I should be adding, please suggest!
Once a new mediation sequence is implemented, it needs to be upload and select as a mediation sequence in the "Message Mediation" section. Once selected need to republish to apply the changes.
You can confirm this by checking the generated sequences file in the <AM_HOME>/repository/deployment/server/synapse-configs/default/sequences. The file format will be <provider>--<API-Name>_v<Version>--<Direction>.xml
I am using wso2am-2.6.0 versrion and I would like to pass an existing bearer token which is different than the wso2 oauth token which wso2 is providing.
I followed the instructions given in this link:
Configure the header per API
Configuring the header for the entire organization
None of them solved my problem.
Providing the existing bearer token, after following the steps mentioned in the above link, the below is the response I am getting:
{
"fault": {
"code": 900901,
"message": "Invalid Credentials",
"description": "Access failure for API: /embargoQA/v1, version: v1 status: (900901) - Invalid Credentials. Make sure you have given the correct access token"
}
}
Any help would be appreciated.
It seems the API is not updated with the new header for some reason. If it was updated properly you should see it like this under the CORS handler.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
<property name="AuthorizationHeader" value="Token"/>
</handler>
This issue is solved by doing couple of changes,
One on the api-manager.xml, un-commenting the RemoveOAuthHeadersFromOutMessage tag and making it "false" under OAuthConfigurations as shown below,
<OAuthConfigurations>
<!-- Remove OAuth headers from outgoing message. -->
<RemoveOAuthHeadersFromOutMessage>false</RemoveOAuthHeadersFromOutMessage>
..........
</OAuthConfigurations>
Second is on the manage tab while publishing the API, Under the Resource section for the respective endpoint you have select "None" option instead of selecting "Application/Application User"
With this solution we need not add Authorization Header, as Token on the manage tab while publishing the API. After doing these changes while trying it out on the API Store you can provide your Bearer token on the field meant for it and provide the required inputs click execute it should work.
In my requirement, I need to get the "auth_time" and "acr" openid claim. On my id token only can get these claims:
amr, iss, exp, iat, nonce, c_hash, aud and at_hash
How can add these claims in token response?
I use openid-client node js library adding in scope="openid"
According to the OpenID Connect spec, auth_time and acr are optional claims. So by default WSO2 Identity server does not send these claims in id_token.
1. auth_time:
According to the spec,
auth_time: Time when the End-User authentication occurred. Its value is a JSON
number representing the number of seconds from 1970-01-01T0:0:0Z as
measured in UTC until the date/time. When a max_age request is made or
when auth_time is requested as an Essential Claim, then this Claim is
REQUIRED; otherwise, its inclusion is OPTIONAL.
Identity server adheres to the spec and you have options to get auth_time as a claim in the id_token.
Option1:
To get auth_time, you can send a request with max_time as a parameter during the authorization flow. A sample request is given below
https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&max_age=12345&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=KmerETRbZx2ErGhCqRfv4xhxeSAa
Option2:
Else, you can request, auth_time as a essential claim in the request.
you have to pass claims as a request parameter and send the auth_time as an essential claims.
{"id_token":{"auth_time":{"essential":true}}}
You have to do url encode and pass this as a value to the claims request parameter to the authorize endpoint. A sample request is given below.
https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&&claims=%7B%22id_token%22%3A%7B%22auth_time%22%3A%7B%22essential%22%3Atrue%7&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=KmerETRbZx2ErGhCqRfv4xhxeSAa
2. acr:
acr: OPTIONAL. Authentication Context Class Reference.
To get acr value in the id_token, first you need to pass acr_values as a request parameter with the all the acr values.
You can easily use ACR and AMR with WSO2 Identity Server by using adaptive authentication scripts. Through this the identity provider can enforce additional assurance in the user authentication flow. You can select the acr from the authentication scripts. Then Identity server will send the selected acr in the id_token response. You can follow this document to work with ACR in identity server and how to configure to get acr value in the id_token.
You may wanted to add those claims as Requested Claims in the Service provider.
https://docs.wso2.com/display/IS580/Configuring+Claims+for+a+Service+Provider
I need to configure a set of apis which are secured and uses client credentials and password alone with client key and secret key.
And how to track the users that are trying to access the API.
I tried by adding proxy mediators.
By default, the API which you will create in WSO2 API Manager will have secure feature.
You can secure the APIs with
oauth which comes inbuilt in the application or
you can integrate the WSO2 Identity Server to be used as Identity Provider for WSO2 APIM.
Below link will show how to create and publish APIs in APIM Manager.
[https://docs.wso2.com/display/AM250/Create+and+Publish+an+API]
Once you are able to invoke the created API, you can check the usage of that API by checking on the Analytics profile for it. You can have it integrated with the API Manager.
Below link is useful to setup Analytics profile for APIM 2.5.0
[https://docs.wso2.com/display/AM250/Configuring+APIM+Analytics/]
Once the Analytics is setup for APIM, you can use the DB to fetch the usage of the APIs.
To solve your query, this is how you should proceed.
You can add a custom sequence in the inflow of the API ( you can do that from API Publisher only by editing it) [https://docs.wso2.com/display/AM260/Adding+Mediation+Extensions]
Sequence Code will be like below:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="custom-sequence_name">
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="accesstoken"
value="put your token here"
scope="transport"
type="STRING"/>
</sequence>
This above one is for token for backend which is static. For dynamic token you can create a sequence accordingly.
This should solve your query :)
For dynamic, go here [How the external authentication handled in WSO2 APIM for an external/Third Party APIs
If your backend is oauth secured then you can use one of the following methods
Method-1
OAuth mediator which can be used for generating OAuth 2.0 tokens and for calling the backends that are secured with OAuth 2.0 protocol. Refer this.
Method-2
writing a mediation sequence which generates an access token for the backend and making a connection to the OAuth 2.0 secured backend.Refer this blog.