There can be web Web applications internally calling the OAuth secured APIs. Once web Web applications are published and accessed through the AppManager gateway, user is authenticated using the SAML SSO. In this feature, we you can use the same SAML token generated by the App Manager gateway and get an OAuth2 access token by calling the token endpoints used by these APIs.
...
App Manager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. You need to create a service provider in IDP for each web Web application that is published through the App Manager (i.e to get the SAML SSO authentication for web Web applications).
If a particular web Web application is registered to obtain a OAuth2 token using the SAML response generated from the SSO authentication, when creating the service provider for this web Web application, it needs to give the following mandatory details of the service provider.
- Enable Response Signingresponse signing
- Enable Assertion Signingassertion signing
- Enable Audience Restrictionaudience restriction
| Info |
|---|
You need to add API provider’s token endpoint as a Audience Restrict audience restricted parameter. |
Configure WSO2 Identity Server as follows.
...
WSO2 App Manager uses WSO2 API - Manager as the API Provider. In order to provide a an OAuth token using the SAML token provided by the IDP of App Manager (WSO2 IS), APIManager needs to include , IS as a trusted IDP provider. Configure WSO2 APIManager API Manager as follows.
| Anchor | ||||
|---|---|---|---|---|
|
...
Web application for obtaining an OAuth2 access token
If a particular web Web application needs accessing OAuth secured APIs internally, it needs to provide the following OAuth parameters of the APIs when publishing the web Web application in AppManagerthe App Manager, as depicted below.
- API Token Endpoint - URL of token endpoint used by the APIs.
- API Consumer Key - the consumer keys of the OAuth APIs.
- API Consumer Secret - the consumer secret keys of the OAuth APIs.
- API Name - alias name for the APIs.
Once the web Web application is created on App Manager, it will wrap these details and generate a new consumer/secret key pair for the web Web application [WCk1, WCSk1]. Actual web Web application can use this consumer/secret key pair generated by the App Manager publisher, when it need to get an access token to call the registered APIs.
...
xxxxxx insert image here xxxxxx
Invoking App Manager Token API from
...
the Web app
App Manager itself provides a token API. Web applications need to call this token API with the consumer/secret key pair [WCk1, WCSk1] provided by the App Manager, when they need to get an access token for a particular API.
...
Use the following parameters and values to invoke AppManager the App Manager Token API from the web Web application, to obtain an access token.
| Code Block | ||
|---|---|---|
| ||
String apiAlias = "pizzashack";
String applicationToken = base64Encode(WCk1 + ":" + WCSk1);
String payload = "grant_type=SAML2&scope=" + samlTokenId + "," + apiAlias;
httpClient.doPost("http://localhost:8280/token", applicationToken, payload, "application/x-www-form-urlencoded");
|
apiAlias- the alias name given when registering the API details in the App Manager publisher.applicationToken- the base64 encoded value of consumer/secret key pair provided by the App Manager.- String
payload- the payload needs to send the grant type and the scope value. Grant type need to be set as SAML2. Scope should contain the value ofsamlTokenIdcookie andapiAliasas comma -separated strings. -
httpClient.doPost- the token API provided by the App Manager. Change it with the define port offset accordingly.
...