There can be web applications that internally calling to the OAuth secured APIs internally. Once web applications are published and access accessed through the AppManager gatewaygateway, user is authenticated using the SAML SSO. In this feature, we can use the same SAML token generated by the AppManager App Manager gateway and get an oauth2 OAuth2 access token by calling to the token endpoints use used by these APIs.
| Table of Contents |
|---|
The diagram below depicts this scenario:
How to publish a web application that need to obtain an oauth2 access token ?
[1] If a particular web application need accessing oauth secured APIs internally, then it need to provide the details of these APIs (i.e. .
Prerequisites
Make sure that following prerequisites are met before following the instructions on publishing the web application for obtaining an OAuth2 access token.
Configuring the identity provider of App Manager
App Manager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. You need to create a service provider in IDP for each web application that is published through the App Manager (i.e to get the SAML SSO authentication for web applications).
If a particular web application is registered to obtain a OAuth2 token using the SAML response generated from the SSO authentication, when creating the service provider for this web application, it needs to give the following mandatory details in service provider.
- Enable Response Signing
- Enable Assertion Signing
- Enable Audience Restriction
| Info |
|---|
You need to add API provider’s token endpoint as a Audience Restrict parameter. |
See the below image for configuring WSO2 Identity Server.
Configuring the API provider of App Manager
WSO2 App Manager uses WSO2 API-Manager as the API Provider. In order to provide a OAuth token using the SAML token provided by the IDP of App Manager (WSO2 IS), APIManager needs to include, IS as a trusted IDP provider. Configure WSO2 APIManager as follows.
| Anchor | ||||
|---|---|---|---|---|
|
If a particular web application needs accessing OAuth secured APIs internally, it needs to provide the following OAuth parameters of the APIs when publishing the web application in AppManager, as depicted below.
- API Token Endpoint - URL of token endpoint used by the APIs
...
- .
- API Consumer Key
...
- - the consumer keys of the OAuth APIs.
- API Consumer Secret - the consumer secret keys of the OAuth APIs.
- API Name - alias name for
...
See the image bellow.
...
- the APIs.
Once the web application is created on App Manager, it will wrap these details and generate a new consumer/secret key pair for the web application [WCk1, WCSk1]. Actual web application can use this consumer/secret key pair generated by the AppManager publisher, when it need to get an access token to call the registered APIs.
...
- apiAlias need to be the alias name given when registering the API details in AppManager publisher.
- applicationToken is the base64 encoded value of consumer/secret key pair provided by AppManager.
- In the payload, it need to send the grant_type and the scope value. Grant_type need to be set as “SAML2”. Scope should contain the value of ‘samlTokenId’ cookie and apiAlias as comma separated strings.
- " http://localhost:8280/token " is the token API provided by AppManager. It need to change with port offset accordingly.
Prerequisites
(1). Configure the Identity Provider use by the AppManager.
AppManager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. We need to create a service provider in IDP for each web application that published through the AppManager (i.e to get the SAML SSO authentication for web applications).
If a particular web application has registered to obtain a oauth2 token using the SAML response generated from the SSO authentication, then when creating the service provider for this web application, it need to give the following mandatory details in service provider.
"Enable Response Signing", "Enable Assertion Signing", "Enable Audience Restriction". We need to add API provider’s token endpoint as a Audience Restrict parameter.
See the below image of 'configuring IS'.
(2). Configure API-Manager (API Provider)
In order to provide OAuth token using the SAML token provided by the IDP of AppManager (WSO2IS), APIManager need to have included, IS as a trusted IDP provider. See the below image of "configure APIManager".
