Publish API to the organisation to subscribe in WSO2 API1.7 - wso2

I have published an application as api in wso2 api manager. This is now required to be subscribed by the entire organization. Do I need to create users and roles for all the employees to access the wso2 store to subscribe the API?

Do I need to create users and roles for all the employees to access
the wso2 store to subscribe the API?
Yes, You can't invoke the APIs without subscription. Creating individual users is depends on you. You can share the access-token amoung your employees to access the API.
A user should have Login and Subscribe permission to subscribe and invoke the API.
Have a look on here to know how to create new roles with permissions

Related

How to change api provider in wso2 api manager?

I am using wso2 apim 4.0.0. Some dozen of apis are deployed and published on it by admin user. Consequently the provider of those apis is admin(in wso2 db). The question that I would like to ask is if it possible to change api provider to another user. If it is then how to do that?
I tried to change it directly in wso2am_db (wso2 api manager database), but haven't succeeded.
this is not possible. Provider is user who created api. You can log in like admin, delete your api. Log in(in publisher or restfull api) like a different user and then create/deploy your api.
The API Provider will always be the user who creates the API. Directly updating the tables may result in data inconsistency. If you want to show it as owned by a different user in Developer Portal, you can add that user as Business Owner of the API, under Business Info.

WSO2, not allowed subscribers to create application

I'm a newer in wso2 and having some confusions regarding subscribers who log into the developer portal for subscribe to APIs. In fact,i created a user with the role internal\subscriber and internal\selfsignup and after logging in with this user, I expected that he could only see the APIs created and subscribed to them with the applications created in the /publisher page, but it seems that this user has the possibility to create these own applications and I do not see how to withdraw these privileges. I want it to use also the apps created in /publisher.
Best regards
The question is a little confusing. Please find the basic ideas of API visibility and API subscription availability below.
You can create applications in the devportal or store portal
You can create APIs in the publisher portal
In general, when you create an API in the publisher portal and publish it without any role visibility restrictions, anyone can view those APIs. To view these publicly available APIs in devportal, you don't even have to log in to the devportal. This is can be viewed in anonymous mode.
In case if you have restricted the API visibility in devportal based on roles, then only the users with the allowed roles can view those APIs.
Similar to API visibility, you also can control the API subscription in the devportal. The subscription availability option will only be displayed if there are tenants in your environment.
Please refer to the official document for more details on this topic.

How do I make my end users (under wso2 identity server) subscribe to a api in wso2 api manager?

I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.

Automatically subscribe all users based on roles

So I may be barking up the wrong tree here, but I have got the api manager working against rest services and can provision users through LDAP.
I can restrict access to certain services by role.
All good so far, however as many users will authenticate through a SPA (AngularJS) and the application will call multiple Rest Services, what I don't want users to have to do, is go to the store and subscribe to all relevant APIs, I would like the users from the LDAP server to be subscribed to all relevant services and have the roles they have limit access to the service.
Is there a way to have authentication done by just being in the identity store and authorization to be managed by the restrict by role setting.
Does this need scripting, is it a setting, or is it impossible?
Thanks in advance
Your requirement isn't supported OOTB in API Manager, still you can do it with little effort.
API Manager provides REST API to subscribe APIs. You can write a client which call the REST API onbehalf of the user and subscribe him.
Have a look on REST API

API to specific Tenants does not work in wso2 AM

In publishing in managing step we set "Available to specific Tenants " with a tenant domain list , After publishing the API specified tenants can not see the API in the API store of the specified tenant.
and tenants which are not specified for the api can generate token with their own user credential and client id ,client secret of different tenant.
Thanks for any suggestion.
Although API subscription can be allowed to different tenant domains, API subscribers need to login to original API store with their creditial, discover the API and subscribe.
You can refere this document for making this API visible to those external tenant stores