Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.
...
If your setup has a cluster of multiple Key Manager nodes that are fronted by a load balancer that does not support Thrift, change the key management protocol from Thrift to WSClient using the <KeyValidatorClientType> element in the <APIM_HOME>/repository/conf/api-manager.xml file. Thrift uses TCP load balancing.
...
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.
The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them.
...
| Code Block | ||
|---|---|---|
| ||
<CORSConfiguration>
<Enabled>true</Enabled>
<Access-Control-Allow-Origin>https://localhost:9443,http://localhost:9763</Access-Control-Allow-Origin>
<Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>
<Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type<Type,SOAPAction</Access-Control-Allow-Headers>
</CORSConfiguration>
<Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
</CORSConfiguration> |
The elements are described below:
| XML Elements | Values | Description |
|---|---|---|
| <Enabled> | True/False | Used to enable/disable sending CORS headers from the Gateway. By default, CORS is enabled (True). This is needed for Swagger to function properly. |
| <Access-Control-Allow-Origin> | HTTP and HTTPS Store Address. Change the Host and Port for correct values of your store. For example, https://localhost:9443,http://localhost:9763 | The value of the <Access-Control-Allow-Origin header>. Default values are API Store addresses that are required for swagger to function properly. |
| <Access-Control-Allow-Headers> | Header values you need to pass when invoking the API. For example, | Default values are sufficient for Swagger to function. |
| <Access-Control-Allow-Credentials> | True/False | Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests. The default value is false. If you set it to true, make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*). |
Change your code according to the sample given here.
...
| Code Block | ||
|---|---|---|
| ||
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/> </handlers> |
...
OAuth scopes
Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.
...
If you do not want a role validation for a scope in an API's request, add the scope under the APIKeyValidation element <ScopeWhitelist> element in the <APIM_HOME>/repository/conf/api-manager.xml file and restart the server. It will be whitelisted. For example,
...