I'm interested in using only the Publisher and the Store. We have already many API gateways in place and also a dedicated OAuth Authorization Server.
The Publisher and the Store should be used basically as an API Portal where APIs are published and potential new consumers can self-register...
I understand that all necessary information is distributed within the WSO 2 API Manager ecosystem out-of-the-box. But could this behaviour be adjusted in the following way:
When publishing an API it must be created on an external, third-party API Gateway. This gateway has it's own management API which must be triggered by the Publisher.
When a new consumer registers to an API the external, third-party OAuth authorization server must be called in order to create the necessary OAuth information there so that the new consumer is known on the Authorization Server. Again, the Authorization Server has it's own management API which must be triggered by the Store.
Is it possible to add custom fields in the Store which allows a consumer to enter additional information?
Any feedback is highly appreciated!
To answer your question on thrid party gateways, WSO2 API Manager does not support this at the moment.
But we do support incorporating a third party Key manager. You can plug a third-party OAuth provider to manage OAuth clients and access tokens. This is supported from API manager 1.9.0 onwards.
You may need to implement a key manager extention to incorporate your OAuth Authorization Server. WSO2 API manager includes a key manager extention to 'Surf OAuth Authorization Server' by default.
You can find more details on configuring a thrid party Key manager at [1] and [2]
To answer your question on adding custom fields, yes, you can include custom fields by customizing the store with a sub theme [1] [2]
[1] https://docs.wso2.com/display/AM1100/Configuring+a+Third-Party+Key+Manager
[2] https://docs.wso2.com/display/AM1100/Extending+Key+Validation
[3] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme
[4] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme#AddinganewAPIStoreTheme-Writingasubthemeofthemaintheme
Related
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
We want to use WSO2 as IAM framwork for our Internal and external applications.
We have below 3 main requirements.
WSO2 should be able to Authenticate user using LDAP (Active
Directory for Internal Employees ) or other data source for external
users.
We want to configure API access level in WSO2 example : ROLE based Authorization (or Policy based ) where we can configure who can access which
web API with Http verb.
We should be able dynamically add/update/delete users , update Authorization policies/ roles through WSO2 API.
Please let me know if this is out of box supported in community edition or we have to buy any licenses for the same.
Note: I have installed the server and playing around as well.
Yes these requirements are possible with WSO2 IS (Product stack)
You can easily plug an existing LDAP user store to WSO2 IS. (https://docs.wso2.com/display/IS530/Configuring+a+Read-write+LDAP+User+Store)
I am not 100% clear about what you are asking here. But if you are talking about IS APIs (Which specified in point number 3) you can do them solely with IS by little customization or else you can use WSO2 ESB with entitlement mediator to add XACML policies.
There are SOAP admin services(Non standard but able to update authorization polices etc) and REST services. (Standard SCIM 2.0 for user operations)
https://docs.wso2.com/display/IS530/Calling+Admin+Services
https://docs.wso2.com/display/IS530/SCIM+1.1+APIs
WSO2 APIM by default supports OAuth2 for securing APIs. If I want to secure my APIs with other standard mechanisms such as BASIC or custom authorization mechanism(eg: based on xml body elements values of request), what is the approach I should follow?
In documentation it tells about writing a custom handler link . I guess this handler is invoked at transport level which will apply for all the API requests over that transport ??.
Does APIM supports adding other security(eg:Basic) mechanisms for each API when an API is added by publisher? and if so does that happen inside the ESB proxy service sequence or before it hits the proxy service?
The API Manager UI supports only OAuth based security, you can modify the synapse configuration of the API to support Basic auth to validate based on HTTP header. Customer authentication can be supported through handler. A reference to the handler has to be included in each API that you want to secure using the custom logic. This can be done by modifying the synapse config of the API.
You need write custom authentication handler and set as an handler configuration for that specific API
I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji