I notice the user sign up api in the list of store api's has been deprecated and no alternate is provided.
How do we facilitate, end user sign up to handle oauth2.0 access token generation when the user itself not created in the embedded identity store of APIM v2.0.
Yes, you're correct. But you have to use it since that's the only option available.
Note that this API is available in APIM 2.1.0 too.
Related
As part of WSO2 identity server 6.0.0, SOAP APIs are deprecated and recommended to use REST-based APIs. We are using RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs in our project, want to replace the SOAP APIs with recommended REST APIs. Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs. The APIs document is not clear.
We are unable to find the replacement for the claim management APIs which are specific to user.The APIs which are provided for the Claim management are not user specific, we want to retrieve/create/delete the claims by passing username or userid in the request payload.
Can you please provide the details that are such APIs available for the claim management.
The REST API that you have mentioned matches the ClaimMetadataManagementService.wsdl https://is.docs.wso2.com/en/5.11.0/develop/managing-claims-with-apis/
The only available REST API to manage user claims (retrieving, updating, deleting) is SCIM 2.0 Users APIs https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/getUser
The thing you have to keep in mind is that SCIM is a protocol that is used for user management. Even though you directly used the local claim URIs in SOAP services to manage user claims, in SCIM API calls you to have to use the respective SCIM claim that is mapped to the local claim.
Check the SCIM Claim Dialects by navigating to management console -> Main -> Identity -> Claims -> List.
There you can find the SCIM claim to local claim mapping
eg:
Get Specific user's name, username claims. Required attributes should be added to attributes param based on the SCIM protocol:
GET https://localhost:9443/scim2/Users/<user-id>?attributes=username,name
Add user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#add-user-attributes
and https://medium.com/p/1c43bb218658
Delete user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#remove-user-attributes
and https://medium.com/p/1c43bb218658
A similar issue was raised here. Check the first answer.
The doc that you have referred is to manage the claims in general. Refer to the introduction paragraph.
The API overview page contains all the information about all the APIs you need. The following image shows the APIs needed to mange users, roles and groups (More than what you have asked in the question).
NOTE: Better not to use SCIM1.1
I searched for wso2is 5.9 apis, I did not find any form of session information for a user.
What would be the way to extract a user's session information, to know if a user is active or inactive or has a valid session.
WSO2 IS 5.9.0 release includes the REST API to retrieve this API as an end-user only. You can find the API documentation from here.
However, the IS 5.10.0 release contains the REST API to retrieve session information as an administrative user as well. API documentation can be found here.
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
We are using WSO2 API Manager 1.10 and WSO2 Identity server 5.1.0 for managing back end REST APIs which will be consumed by Android and iOS application.For a end user(Mobile App user) to access the APIs exposed,process followed is:-
1.User registers to WSO2 IS server using WSO2 SCIM create user API.
2.User request for access token which will be used for accessing the APIs.
We are planning to add Google and facebook sign in feature in our Mobile app which will help end user avoid user creation in WSO2 IS. Does WSO2 API Manager support this sort of implementation? if so,what are the cofiguration changes we need to do to our current setup?
You can achieve this using identity federation. IS will act as key manager as well as it can federate the authentication to facebook/google.
you can find how facebook can be configured to get access token in this blog[1]. Similarly you can add google for federation[2]
[1] http://nuwanzone.blogspot.com/2015/10/getting-access-tokens-for-wso2-api.html
[2] https://docs.wso2.com/display/IS510/Configuring+Google
I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo
Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file