WSO2 APIM by default supports OAuth2 for securing APIs. If I want to secure my APIs with other standard mechanisms such as BASIC or custom authorization mechanism(eg: based on xml body elements values of request), what is the approach I should follow?
In documentation it tells about writing a custom handler link . I guess this handler is invoked at transport level which will apply for all the API requests over that transport ??.
Does APIM supports adding other security(eg:Basic) mechanisms for each API when an API is added by publisher? and if so does that happen inside the ESB proxy service sequence or before it hits the proxy service?
The API Manager UI supports only OAuth based security, you can modify the synapse configuration of the API to support Basic auth to validate based on HTTP header. Customer authentication can be supported through handler. A reference to the handler has to be included in each API that you want to secure using the custom logic. This can be done by modifying the synapse config of the API.
You need write custom authentication handler and set as an handler configuration for that specific API
Related
I have a requirement that I need to validate 3rd party Authorization Server access token in wso2 API manager. If token active and valid then allow resource
imho as the simplest solution you could build a custom inbound mediation flow for that (if you are familiar with wso2 esb mediations). For this option you will loose some apim capabilities (throttling, authorization, analytics)
you should aware the default authorization handler would clean the Authorization header (as far I know) , so you may need to add a custom handler to preserve the original header value
I'm interested in using only the Publisher and the Store. We have already many API gateways in place and also a dedicated OAuth Authorization Server.
The Publisher and the Store should be used basically as an API Portal where APIs are published and potential new consumers can self-register...
I understand that all necessary information is distributed within the WSO 2 API Manager ecosystem out-of-the-box. But could this behaviour be adjusted in the following way:
When publishing an API it must be created on an external, third-party API Gateway. This gateway has it's own management API which must be triggered by the Publisher.
When a new consumer registers to an API the external, third-party OAuth authorization server must be called in order to create the necessary OAuth information there so that the new consumer is known on the Authorization Server. Again, the Authorization Server has it's own management API which must be triggered by the Store.
Is it possible to add custom fields in the Store which allows a consumer to enter additional information?
Any feedback is highly appreciated!
To answer your question on thrid party gateways, WSO2 API Manager does not support this at the moment.
But we do support incorporating a third party Key manager. You can plug a third-party OAuth provider to manage OAuth clients and access tokens. This is supported from API manager 1.9.0 onwards.
You may need to implement a key manager extention to incorporate your OAuth Authorization Server. WSO2 API manager includes a key manager extention to 'Surf OAuth Authorization Server' by default.
You can find more details on configuring a thrid party Key manager at [1] and [2]
To answer your question on adding custom fields, yes, you can include custom fields by customizing the store with a sub theme [1] [2]
[1] https://docs.wso2.com/display/AM1100/Configuring+a+Third-Party+Key+Manager
[2] https://docs.wso2.com/display/AM1100/Extending+Key+Validation
[3] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme
[4] https://docs.wso2.com/display/AM1100/Adding+a+new+API+Store+Theme#AddinganewAPIStoreTheme-Writingasubthemeofthemaintheme
We are currently evaluating the WSO2 API Manager (v1.6.0) to Front our internal APIs so they can be securely exposed to thirdparty developers and partners. Our internal APIs have implemented an HMAC-SHA1 based custom authorization scheme similar to AWS, where clients construct a HMAC-SHA1 hash string using the request url, the current timestamp and a secret key assigned to that client.
I would like to configure/customize the API Manager to employ this custom scheme when routing requests to our service endpoint. This way the API Manager operates as just another client to our internal API. What is the best way to achieve this? Currently the API Manager only supports Basic Auth (When I select "Secured" in the "Endpoint Security Scheme" drop-down when setting up my API). How do I update the API Manager so it:
Supports my custom scheme - constructs the Authorization Header using our custom scheme when calling our service endpoint
Maintains the secret key used for generating the about header within it's configuration/data store
Although this is a very very old question, I'm answering so it can be useful to someone, someday.
You can do this by either writing a custom handler or custom sequence. What you have to do is,
1) Send the token in a custom header.
2) Copy that token to Authorization header by a custom handler/sequence.
From what I've read and experienced, the API Manager 1.3.1 only generates proxies. However, I would like to proxy a back-end SOAP service with a SOAP service proxy and have the proxy implement a WS-Policy with a WS-SecurityPolicy.
Is there built-in support for this in API Manager 1.3.1?
Will there be support for this in the next version of API Manager?
If no, then what steps would I take to have the API Publisher and Store apps recognize SOAP proxies?
I hope that API Manager is not the ideal way to start to implement your use case. You should use Enterprise Serivce bus which provides the UI and necessary other tools to implement the scenario.
You can install the required features (Which is pre installed in ESB) to API manager and use those features. But you can just go ahead with WSO2 ESB as it is.
http://docs.wso2.org/wiki/display/ESB402/Secure+Proxy+Template
in wso2esb, itself contains throttling [1]/analytics[2] support.You can check the documentation on how to enable the throttling for proxies. If you like to use APIManager, define a proxy in another instance(like ESB) and provide that as endpoint when you create an API. But that proxy has to handle REST calls..
But from my understanding, you can simply use wso2esb.
[1]http://docs.wso2.org/wiki/pages/viewpage.action?pageId=15471353
[2]http://docs.wso2.org/wiki/display/ESB451/Statistics
I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.