I'm confused about how end user authentication works with WSO2 AM.
It looks like by default, WSO2 AM acts as the user authentication server for OAuth flows and hence validates user credentials against those entered via the API Store and stored in the Key Manager. But those users are not end users of the destination APIs, but rather developers who've signed up to build apps to use the APIs. That doesn't make sense to me, so maybe I've misunderstood the documentation?
What I need and would think most other API publishers would need is the ability to authenticate end users against an API publisher's user authentication API, and so have WSO2 AM delegate user authentication to such an external authentication API via a redirect (in case of authorization grant or implicit grant flows) or server-server call (in case of resource owner credentials grant).
How would one go about configuring such a setup, and what's the interface between the WSO2 AM and the external authentication API, for both the redirect and server-server interactions? Can you point me to any documentation or samples of such a setup?
thx,
Chris
My perspective on this is that end users consume apps directly, not APIs. App developers build apps that consume APIs. So this conforms to philosophy of WSO2 API Manager, where it is catering to the app developers.
An API publisher's user authentication API is just another API as far as the API Manager is concerned. You can expose this API through API Manager and have users(or apps in my opinion) invoke the API with specified parameters and get a response(In your case user credentials as parameters and a response based on the authentication of those credentials). What an underlying API does is of no concern to API Manager, it simply facilitates the management of the API invocation.
Often apps make authenticated user-specific requests to APIs to service users using the apps. The OAuth2 resource owner password credentials grant is one of a few OAuth grant options used by apps to obtain user-specific OAuth tokens, and it requires authenticating the user's credentials against the API publisher's user authentication API. For reference, here's apigee's documentation on how to do it.
wso2 APIM has four role models-> admin,creator,publisher and subscriber.
so those who have creator and publisher role can create and publish an api in publisher app(they are developers).
and those who have subscriber role can subscribe to api in store and generate the oath token(they are end users).So whenever a user singup from store will be assigned to subscriber role. so those who have only subscription role are endusers of that api.
so when an end user access the api using the token taken from store, he will be authenticated by APIM.
1.https://docs.wso2.com/display/AM160/User+Roles+in+the+API+Manager
Related
I have a spring boot based web application which already authenticates the user. I would like to create some AWS APIs using AWS api gateway and a springboot rest app deployed on EC2. The user will log into the existing application and call the new AWS APIs from the browser ajax calls (like an SPA I guess but I have a server and can use client credentials/secrets if needed). What is the best way to handle security for the APIs. My first thought was to generate a JWT using a shared server side secret for hash and verify it with an AWS lambda. But this seems a bit non standard. Oauth2 might be better but might also be over kill. Not sure the performance would be good. Few requirements
token passed to the API should be a user specific token and have an expiration (and hence a refresh token)
The user is already logged into my web app and calling the api should not issue a login challenge.
AWS API Gateway should be able to verify the token before passing it to the application
Any token passed to the API should probably be generated on the logged in web application. Server knows the user is authenticated and should generate the user access token on behalf of the user. The AWS api should be able to figure out what privileges the user has based on the user principle or scopes in the token
I've thought about using Cognito AWS but I dont want to require the users to preexist in a user pool. Cognito seems geared more for the authentication rather than authorization and I would not be using the cognito login functionality. I dont know if its possible to use the oauth2/token endpoint alone with cognito.
I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,
Choose store location,
Book pizza,
Track order, etc.
as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.
What would be the best way to implement this?
Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
Bring my users under secondary user store/ use custom user store of API manager?
Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?
Also,
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.
So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.
If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.
Please find the answers to the other questions below.
What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
What can I do with this application?
Is this same as the application we create before subscribing to an API in API manager store?
Can I add users to this application and grant access to them in common?
Can I subscribe to API's using this application so that all users under this application will have access to it?
Answer
The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.
The Service provider is generally used for generating application keys to get an access token to invoke the apis.
OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.
In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.
You can subscribe to an API only from the OAuth application created through the API Store.
Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them
Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API
Adding to what #Menaka has explained.
Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.
I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).
I have created and published API with WSO2 API Manager. API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. But now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
Can anybody tell if it is possible and how it can be implemented???
Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM.
now I need to implement authorization by means of authorization code grant.
I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.
If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service
Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated
(I still have an urge to downvote the question for not searching the documentation)
If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer)
You have 2 options here without any customizations.
1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. Then you can use any user in that userstore for authentication.
See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores
2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS.
See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation
I am new to WSO2 API Manager. I have installed it to proxy my REST endpoints and to do access management via oAuth2.
Great! I managed to get access to my backend REST implementation through the oAuth2 process of API Manager (via API console). Now I want to setup the complete roundtrip starting from a user authentication process where identity is verified with corresponding roles. So...
Next I want to create a single page app and bring an authentication step by either redirect the user to a login page (authentication service) or let the user interact with single app page directly and let the single app page do the login to some authentication service.
Question:
Can I use the Key Manager component of the API Manager to handle user authentication (oAuth2 based) or do I need to install the WSO2 Identity Server to handle the authentication?
I see that WSO2 API Manager can host Users and Roles, a User Store and an endpoint to handle (authz) token requests, but can it also handle a login (authentication) request from my single app?
You can use APIM with OAuth2 Authorization code grant type. See this sample in identity server docs, but use below endpoints of APIM instead of IS endpoints.
https://localhost:8243/authorize
https://localhost:8243/token