I was using OAuth for a REST API Service on WSO2-ESB using WSO2-IS, and now I wanted to register this service on API Manager. But looks like API Gateway already has OAuth incorporated.
Does it make sense to have WSO2-IS for OAuth in above scenario because having WSO2-API Manager and WSO2-IS make it a two layer OAuth which is not required?
Thanks,
Wajid
Yes API Gateway already has OAuth incorporated. WSO2 API Manager provides secure authorization for APIs using OAuth 2.0 standard for key management. Every API created through WSO2 APIM will engage authentication handler which does this. So if you are using WSO2 API Manger you can skip the engagement of OAuth to your REST API. If you want to keep your own authentication mechanism, it also can be done by defining your APIs in API Provider with None Auth type. In that case API gateway will just pass the any Authentication headers came in the request to the backend service, without validating. But here since you are also using OAuth, you can go with WSO2 API Manager's default authentication mechanism.
http://docs.wso2.org/wiki/display/AM131/API+Manager+Components
Related
How to setup wso2 api gateway.
Is it possible to modify/customize behavior of WSO2 gateway
We have our own OAuth server and want to redirect each and every request to OAuth server for authorizing request.
Once request is authorized then gateway should redirect that to back end service/api
We want add some filtering logic as well.
Yes, this is possible with third party key manager support in WSO2 API Manager [1].
The basic idea in here is when generating a token, the token request will go to the OAuth server of yours via the key manager component of API Manager.
When an API request comes in, the gateway send the token validation request to the key manager component of the API manager. From here, you can call the OAuth server of yours to validate the token.
To accomplish your requirement you have to write your logic in Java language. Sample can be found in [2].
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configure-a-third-party-key-manager/#configure-a-third-party-key-manager
https://github.com/wso2-extensions/apim-keymanager-okta/blob/OKTA-OAuth-Client-2.0.0/docs/config.md
I'm trying to create a API from my ERP into WSO2 API Manager ,to access API without use API Manager I need to use a NTLM credential. I want to publish this API into API Manager, but when I trying to create and Publish , I cannot add that credentials and api does not work. where do I submit those credentials?
As you can see on this picture, I'm getting unauthorize.
API Manager Error
WSO2 API Manager v3.1.0 supports basic auth, digest auth, and mutual ssl for backend security. If you want NTLM, then you can use a class mediator. https://medium.com/#nipunadilhara/ntlm-authentication-for-wso2-esb-v6-2-0-9584c3e6713
I wanted to do some POC for wso2 API manager where API Manager will expose login and registration url which will be called by UI layer but wanted to handle end user authorization and authentication
in API manager layer and don't want to handle this in database how can I do this i don't to use Identity server also.
I have gone through password grant_type tutorial and we can use this but how the authorization is going to performed?
Do we need to maintain user details in separate database or in identity server? if yes how this is going to happen.
I have gone through below questions but didn't get exact solution, please help me on this.
authorize user in wso2 api manager
wso2 api manager end-user
Thanks
how can I do this i don't to use Identity server also
By default you should be using the provided OAuth2 endpoints to authorize the users. However - the API Manager itselfs doesn't support self-registration and account verification.
I'd suggest to configure a WSO2 Identity Server as an APIM Key manager.
The WSO2IS has capability for self-registration and account verification.
The application or users will authenticate against the WSO2IS and the returned token will be valid for APIM (as the KeyManager shares the database with tokens).
Using my API Gateway WSO2, I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token). But I cannot find how to do that.
It's even mentioned on the WSO2 website that by using API publisher (of WSO2 AM) you can only configure your APIs to call services secured with username/password : https://docs.wso2.com/display/AM210/Working+with+Endpoints
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Do you know if there is another way to do this without using the API Publisher ?
Mu browser (SET API Gateway Access-Token) -- API Gatewau WSO2 (SET my Backend services Acess-Token) --> My backend services
Thank you !
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Out-of-box from the API Publisher you can directly authenticate with the backend using Basic authentication (username and password)
Do you know if there is another way to do this without using the API Publisher ?
well - the Publisher app is always involved
I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token)
There are multiple ways how to authenticate with the backend, not all are so straightforward
Basic authentication (this is what you don't want)
JWT token - the API Manager is able to send a signed JWT token with the API calls to the backend and the backend service could authenticate and extract client details from the JWT token.
Using the inbound mediation configuration you could manipulate the request payload and metadata
With the point 3 you should be able to send a custom OAuth/Authorization header. The question is - with what identity provider your service is authenticating/authorizing?
The problem is that there's no unified configuration how your service's client (API manager calling the backend) would fetch / cache / refresh / revoke the token which would work with all possible identity providers.
In theory you could implement the OAuth authentication with external IdP using the inbound mediations (sequences), but I strongly urge do not put anything complex as API mediation for sake of maintainability (been there, done that, screw it badly)
Maybe the simplest option would be having a permanent token you could pass in the HTTP headers, it sounds simple enough.
There is a custom Oauth2 mediator which you can try. https://github.com/imesh/wso2-oauth-mediator
Can someone please clarify when to use API Manager and when to use Identity Server. I see that API Manager comes with Key Manager. Isn't that sufficient. I am really confused. Any help would be helpful.
Many thanks....
I hope this explaination will help you out,
WSO2 Identity Server
WSO2 Identity Server is a fully fledged Identity Management Solution which supports Authentication, Authorization, Single Sign-On and Identity Federation to name a few capabilities. WSO2 Identity Server supports almost all major identity protocols such as SAML, OAuth2, OpenID Connect etc.Take a look at this page to get an idea about the capabilities of WSO2 Identity Server.
WSO2 API Manager
WSO2 API Manager, on the other hand, focuses on managing your APIs. Managing life cycle of your APIs, Authorization, Throttling, applying policies on API consumers are some of the functionalities handled by API manager. API manager has several components such as publisher, store, gateway, key manager, traffic manager that clearly separates different aspects of API Management.
So the Key manager component is responsible for managing OAuth applications, generate, validate and revoke OAuth2 Tokens. API has an inbuilt key manager component to handle these functionalities.
API Manager also offers the flexibility to use an external key manager instead of its inbuilt one should you require to do so. This external key manager needs to confirm to an interface specified by API manager. By default, API has an implementation of this interface that allows WSO2 Identity Server to used an external key manager.
So whether or not you want to use Identity Server or any other external key manager is totally dependent on your use case and the API traffic.
You can use WSO2 Identity Server for all the authentication/authorization stuff:
XACML Architecture solution.
SSO with anothers webapps or WSO2 tools.
Implement a Oauth2 autorization mechanish
Federate authentication
etc....
You can uso WSO2 API Manager for expose unsecure resultful apis or webservices as secure apis using Oauth with monitoring and billings functionallities
The key manager functionallity properly decouples the operations for creating OAuth applications and validating access tokens so that you can even plug in a third party-authorization server for key validations.
In a DEV enviroment you can work with WSO2 API Manager without the WSO2 Identity Server at all.
In a production enviroment it's recommended to use a separate WSO2 API Manager as a Key Manager or use the WSO2 Identity Server as the Key Manager