I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
Related
Intro:
It is possible to add several types of OAuth credentials to an app (brand) for given project in the google cloud console (gcc) web UI:
Dashboard | APIs & Services | Credentials | OAuth 2.0 Client IDs
+CREATE CREDENTIALS button, OAuth client ID)
followed by a selection of Application type (like web/desktop/iOS/etc...)
It is also possible to create the brand programmatically via the Identity Aware Proxy (IAP) API, method projects.brands.create.
Via that API, it is also possible to create so called IAP Client, which partly corresponds to the mentioned OAuth credential, method projects.brands.identityAwareProxyClients.create. Unfortunately, this results in a credential:
of web application type only,
non-editable (explicitly mentioned in docs, which still might be acceptable),
with no (or unknown) parameters, like e.g. redirect URIs.
First impression of such credential is: it's just useless.
Question:
Is there any API/Method (don't insist on IAP) that would allow replication of the actions available in the gcc web UI? Which means to create OAuth credential of any of the types available and having all the parameters configurable.
I have an API that I have setup in WSO2's API Manager Publisher tool. All the calls work fine when called correctly with an Access Token.
But I have one url that I want anyone to be able to call. (It is a customized Swagger UI page (different from the one built into the WSO2 tooling).)
To do this I add the Swagger UI url as a resource. But when I go there it says:
Required OAuth credentials not provided. Make sure your API invocation call has a header: 'Authorization : Bearer ACCESS_TOKEN'
Generally, I really like this default. (I want all my other API resources to require an Access Token.) But for this one I don't have an access token and don't expect to.)
Is it possible to publish one resource and not need any authentication?
Also it can be done in 2.x versions of API Manager through disabling for each endpoint the security in publisher tool. In manage tab, resources section, for each resource/endpoint set the value x-auth-type to "None". Default value is "Application & Application User". This disable security and then authentication required for accesing to the selected API resources.
This can be done as mentioned in https://stackoverflow.com/a/61133046/3176125
Basically you can turn off for one of the resources while you allow security for the rest of the resources.
We're in the process of configuring our suite of WSO2 products in a development environment and we're having a hard time wrapping our heads around IS Key Manager.
What we're going for is an Identity Server (already configured) with an OAuth Service Provider that an external web page can log into. This is already complete, we can get our token through IS just fine.
We now want to take the same token, and pass it to API Manager, and have API Manager understand the token, and the roles within, and approve or deny the API request.
Further in, we want to pass the token to Enterprise Integrator (which API Manager calls) and get info from the token (user info, claims) within a sequence.
IS is configured and working in it's isolated way (tokens generated from it aren't being accepted by APIM). APIM is configured in that it is pointing to an EI API.
EI is only configured in that it has an API with sequences that do stuff.
I've read through these:
https://docs.wso2.com/display/AM260/Key+Concepts#KeyConcepts-KeyManager
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
They suggest a separate Key Manager that all can speak to. Makes sense. But the Key Manager when downloaded is an APIM instance? And looking deeper into the documentation it seems like this Key Manager is meant to REPLACE the traditional Identity Server, which doesn't support our use case (we need a separate Identity Server that can federate freely with others).
I assume I'm not understanding something about the Key Manager configuration properly.
In short:
IS needs to have an OAuth service provider to login to. Once the token is generated there, it will be sent to an APIM endpoint. APIM should understand the roles, and authorize it through. EI should then receive the token from APIM and then also understand the roles and authorize it through.
How can I accomplish this?
I would assume you got to the page where "API Manager" download page. Then you got the download pack named "wso2am-2.6.0.zip"?
There is a link on the same download page under "Other Resources" -> "Identity Server as a Key Manager Pack". You can get the "wso2is-km-5.7.0.zip".
This is almost same as "wso2is-5.7.0.zip", except very few config modification. You could use almost all the IS features in the same way.
I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji