I'm working with WSO2 Api Manager version 1.6 and I need to obtain by a REST (or SOAP) service the Access Token (of Key Production) of the current suscription of an application.
Is it possible to obtain that key giving as input parameters user/pass of consumer (suscriber) user?
There is token generation and renew method from client side,however you need consumer and secret key to generate this Token.
http://docs.wso2.org/display/AM160/Token+APIs
Months ago I was working on that. I investigate trying with APIKeyMgtSubscriberService?wsdl. Try to call function getApplicationAccessToken by Soap UI. It returns keys you need, but I don't know why in my case returns some keys which are not equal to keys showed on the web interface.
Hope it helps.
Related
I have a web application where the regular user login is handled via SSO.(This prevents me from creating a service user)
In this application I have some web service endpoints that are not in the scope of any user. They will be triggered by another application and do some stuff.
Is the following the right way to do.
A token string is created by hand(because of simplicity)
The token string is stored in the environment variables of the system that provides the webservice endpoint as well as in the system that calls those endpoints.
On every call a simple equality check is proceeded - if the token is not present, the endpoint returns a 401.
Is my approach to simple?
I have not found much on this topic - my approach comes from the moodle-webservice handling, where you generate a webservice token in moodle and place it aswell in the application that calls the webservice.
For a basic application with no high security requirements, this might be ok.
A few things you could do (all of which will increase complexity and/or cost):
The service could store a proper password hash (like bcrypt, pbkdf2 or argon2) instead of the actual password. This would help, because if it is compromised, the actual key would not be lost, the attacker could still not easily call the service. (But it's already compromised, and this is not like a user password that would be reused, so it depends your choices and threat model.)
You could store this secret in a proper vault like AWS Secrets Manager or Hashicorp Vault or similar. This would enable you to control access to the key in one place, and audit key usage (maybe alert on attempts and so on). Access to the vault would still have to be managed, but that's easy via roles on AWS for example, where instances with the right role can access the secret but others cannot.
In API manager inside store we can create consumer key and consumer secret using generate keys button for an application.I am just digging the java code where its getting generated so that i can try to generate keys using a different identity server not API Manager's default identity server.
I am trying the same in wso2am-2.2.0-update7 version.
Main motive is using the third party identity server for keys and token generation.
Please refer https://docs.wso2.com/display/AM220/Configuring+a+Third-Party+Key+Manager. This contains what you need to do to configure third party IDP as a Key Manager in APIM
I am using the moodle web service.
I am getting a token from '/login/token.php', but after I have that, what do I do with it? I cannot find documentation on how to get the userid from that token, or do anything with it.
Token is a key to be used as authentication of web service consumer who is going to be use it.
It is associated with each function of web services.
if you have token then use this token on client.php script to check whether your web service is correct or not.
whenever a user consumes this webservice then he/she need that token. Every web service function has a unique token.
To generate a token from UI just go through in your moodle site administrator->plugins->web services->manage token. then add your function and generate the token for that particular function.
Take a look at function authenticate_user() in moodle/webservice/lib.php this contains the methods to authenticate the user based on name+password or by token.
This calls the function authenticate_by_token. This checks the external_tokens table to see if your token is present and then finds out the user for this token and returns the authenticated user object.
I landed on this function when going through moodle/webservice/rest/server.php. I am using moodle stable release 2.8.2+ (Build: 20150123)
Don't know if this is way to old, but stumpled upon it myself. Maybe this can help other people too.
After you get the token, you have to supply it in your API calls. So let's say you have added the function to get all courses, then you can get the courses with the following REST URL:
/moodle/webservice/rest/server.php?wstoken=d4ffd83ce0e2602a458b44e16634ab17&wsfunction=core_course_get_courses
Where wstoken is the token you got. wsfuntion is the name of the service function.
I found a useful list of service functions in the moodle system:
moodle/admin/webservice/documentation.php
Here it's possible to see arguments and return values.
Does anyone know how to add HMAC based authentication for WSO2 API Manager?
Background - We're rolling out WSO2 API Manager 1.3 in front of our publicly available web services and we need JavaScript applications (once authenticated) to be able to consume the services directly (not via a service proxy on their server to handle the OAuth authentication).
Does anyone know the easiest way to get this implemented in WSO2? We've started implementing an AbstractHandler and Authenticator but this seems overkill - someone must have done this or have some pointers on this?
Thank you very much in advance.
You can write your own handler which can implement the AbstractHandler.
Signature verification can be implemented as an API handler similar to the 'APIAuthenticationHandler'. The access token that was provided earlier can be used as the Mac Identifier. The consumer secret can be used as the Mac key, which is a shared secret between the consumer and the provider used to sign the normalized request string.
I do not know if this will help you but we needed our password hashes to be in PBKDF2. So I extended the JDBCUserStoreManager overriding only the preparePassword method. Inside it changed from MessageDigest to SecretKeyFactory for the PBKDF2WithHmacSHA1 algorithm. You can use Mac i guess?
This is possible by implementing a custom mediator and engaging it to the in-flow sequence. The API exposed by API Manager would be OAuth protected, but the actual backend would be HMAC protected. You can find more information on this in the article [1].
[1] https://wso2.com/library/article/2017/10/integrating-wso2-api-manager-with-a-hmac-secured-backend/
can someone please enlighten me on what session secret is and how to find it?
A session secret key is used for signing request to Facebook api functions. It is used in situations where it can be disclosed, for example in browser executed javascript code which makes API calls and needs to sign them.
Facebook have not yet provided a way to get a session secret key in the new graph API so you need to enable 'deprecated api methods' under your app settings and then you can use the old REST api call auth.promoteSession to get your session secret key server-side, then embed that key in the code to be used client-side.