WSO2 Identity Server Authorization Service - wso2

I am new to WSO2 Identity Server(4.6). I have a use case, where I have a rest service on ESB (WSO2 ESB 4.9). And I would like to give resource level access to various users.
I thought of using WSO2 identity server for authorizing the user and using the token for accessing the rest service. I was going through the playground example, but that is not something I would like to do, where the Authorize service opens the Identity Server Authorization Service. It seems to be sequential, and assumes that the user/resource owner are the same.
I would like to do all that programatically, and just give the aothorization code to the user, and let him call the token service to get the token. Is this possible?
Thank you

You can use the https://localhost:8243/token endpoint for your use case. You can refer to below links for more information
https://docs.wso2.com/display/IS500/OAuth+Token+Revocation+with+WSO2+Identity+Server
https://docs.wso2.com/display/AM190/Token+API

Related

How do I create a Custom Client Authenticator in WSO2 Identity Server

I am trying to set up a custom client authenticator in WSO2 Identity Server, I would like to retrieve an access token with client_credentials specifying a specific scope and have a jwt token returned with custom claims inserted. I've tried writing my own Client Authenticator but I'm having some trouble getting the OSGi bundle to pick up correctly during WSO2 startup and all other attempts at customizing the auth flow have failed.
Is there anyone who would be able to point me in the right direction as to where I might find useful information on how to achieve what I'm trying to achieve? TIA.
Using WSO2 Identity Server, you are able to extend the client authentication implementation. You can write your own client authentication mechanism following a specification or any other standard.
Please follow the below doc link to create the custom client Authenticator:
https://is.docs.wso2.com/en/latest/learn/writing-a-new-oauth-client-authenticator/

Using WSO2 API Manager with Identity Server and SEPARATE Identity Server Key Manager

We're in the process of configuring our suite of WSO2 products in a development environment and we're having a hard time wrapping our heads around IS Key Manager.
What we're going for is an Identity Server (already configured) with an OAuth Service Provider that an external web page can log into. This is already complete, we can get our token through IS just fine.
We now want to take the same token, and pass it to API Manager, and have API Manager understand the token, and the roles within, and approve or deny the API request.
Further in, we want to pass the token to Enterprise Integrator (which API Manager calls) and get info from the token (user info, claims) within a sequence.
IS is configured and working in it's isolated way (tokens generated from it aren't being accepted by APIM). APIM is configured in that it is pointing to an EI API.
EI is only configured in that it has an API with sequences that do stuff.
I've read through these:
https://docs.wso2.com/display/AM260/Key+Concepts#KeyConcepts-KeyManager
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
They suggest a separate Key Manager that all can speak to. Makes sense. But the Key Manager when downloaded is an APIM instance? And looking deeper into the documentation it seems like this Key Manager is meant to REPLACE the traditional Identity Server, which doesn't support our use case (we need a separate Identity Server that can federate freely with others).
I assume I'm not understanding something about the Key Manager configuration properly.
In short:
IS needs to have an OAuth service provider to login to. Once the token is generated there, it will be sent to an APIM endpoint. APIM should understand the roles, and authorize it through. EI should then receive the token from APIM and then also understand the roles and authorize it through.
How can I accomplish this?
I would assume you got to the page where "API Manager" download page. Then you got the download pack named "wso2am-2.6.0.zip"?
There is a link on the same download page under "Other Resources" -> "Identity Server as a Key Manager Pack". You can get the "wso2is-km-5.7.0.zip".
This is almost same as "wso2is-5.7.0.zip", except very few config modification. You could use almost all the IS features in the same way.

WSO2 Identity Server obtain SAML token for rest call

I have the two applications that both support SAML2 SSO using WSO2 Identity Server. During application bootstrap (when still no user request is processed) i need one of the applications to get information from the other using REST call. However this REST call should provide a SAML token for security purposes. I need a way to remotely get SAML2 token and use it for REST calls. I have read a post about rest sts client without esb however i can't find a sample code on how to get a SAML token for my REST calls. What is the way to obtain such SAML token? Is there sample source code?
You can follow this blog [1] get passive STS sample. But if you are using WSO2 Identity server 5.0 user interface bit different than in this blog.
[1] http://dulanja.blogspot.com/2013/09/passive-sts-java-sample-with-wso2.html

Use specific system user for wso2 esb service invocation

I am going to have a web portal from which I will be calling services with "UsernameToken" security.
For authentication purposes I would like to create a system user in the wso2 Identity Server, so that I can use it to call the services from the ESB. So basically, I want to request a token for the system user from the WSO2 Identity Server and use it to authenticate infront WSO2 ESB so I can call the services.
I plan to use the AuthenticationAdmin and UserAdmin services for the authentication.
Is this scenario possible? If not what would be a good way to achieve similar scenario?
If I understood your requirement properly, I assume, you're trying to call a set of backend services via WSO2 ESB having "UsernameToken" as the authentication pattern. If that's so, then I don't see any requirement for you to use WSO2 IS for user creation, unless you're planning to do much deeper Identity Management.(You can still use it but I consider it as sort of an overhead given the fact that you just want to create the users there in WSO2 IS). For this, you can use the user management capabilities embedded in the WSO2 ESB (or in any other WSO2 product). What you would simply have to do is, create a user at the ESB level and use those credentials to call the backend services via the ESB.
Hope this helps.
Regards,
Prabath

OpenSSO SSOToken to SAML assertion and back

I'm considering securing a whole Java EE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.
As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?
Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?
You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.
The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.
In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.
You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.