Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There can be web applications that calling to OAuth secured APIs internally. Once web Once Web applications are published and access through the AppManager  gatewayaccessed through WSO2 App Manager gateway, user is authenticated using the SAML SSO. In However, there can be Web applications which internally call OAuth-secured APIs. In this feature, we you can use the same SAML token generated by the AppManager WSO2 App Manager gateway, and get an oauth2 OAuth2 access token by calling to the token endpoints use used by these APIs.The diagram below  The below diagram depicts this scenario:.

Image Removed

How to publish a web application that need to obtain an oauth2 access token ?

 [1] If a particular web application need accessing oauth Obtaining an Auth2 token by providing a SAML token flow diagramImage Added

















Publishing the Web application for obtaining an OAuth2 access token 

If a particular Web application needs to access OAuth-secured APIs internally, then  it need needs to provide the details following OAuth parameters of these APIs (i.e. the APIs in the Step 4 - Advanced Configuration of creating the Web application.

  • API Token Endpoint - URL of token endpoint used by the APIs

...

  • .
  • API Consumer Key

...

  • - the consumer keys of the OAuth APIs.
  • API Consumer Secretthe consumer secret keys of the OAuth APIs.
  • API Namealias name for

...

  • the APIs.

Image Removed

Once the web Web application is created on App Manager, it will wrap these details and generate a new consumer/secret key pair for web the Web application [WCk1, WCSk1]. Actual web Web application can use this consumer/secret key pair generated by the AppManager publisherApp Publisher, when it need needs to get an access token to call the registered APIs. 

 You can see  Follow the steps below to view the consumer/secret key pair generated by AppManager, once you go to the overview page of published application. See the image bellow.

 xxxxxx insert image here xxxxxx

[2] AppManager WSO2 App Manager, 

  1. Log in to the App Publisher of WSO2 App Manager using the following URL with admin/admin credentials: http://<IP_ADDRESS>:9763/publisher
  2. Click on the Pizza Shack application in the Web applications list.
  3. In the the Overview section of the Web application, click OAUTH Parameters tab.
    You can see the consumer/secret keys generated for it in WSO2 App Manager as follows.
    Image Added

Invoking WSO2 AppM token API from the Web app

WSo2 App Manager itself provides a token API. Web applications need to call this token API with the consumer, /secret key pair [WCk1, WCSk1] given provided by the AppManagerApp Manager, when they need to get an access token for a particular API.  Note:

Info

This token API is deployed in the

...

<PRODUCT_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file. If

...

App Manager is running with

...

a port offset, then the port defined inside the _TokenAPI_.xml

...

file needs to be changed accordingly. 

 Example of invoking AppManager Use the following parameters and values to invoke the App Manager Token API from the Web -App application, to get obtain an access token is given below..

Code Block
languagejava
String apiAlias = "pizzashack";

...


String applicationToken = base64Encode(WCk1 + ":" + WCSk1);

...


String payload = "grant_type=SAML2&scope=" + samlTokenId + "," + apiAlias;

...


httpClient.doPost("http://localhost:8280/token", applicationToken, payload, "application/x-www-form-urlencoded");

 

  • apiAlias need to be - the alias name given when registering the API details in AppManager the App Manager publisher.  
  • applicationToken is - the base64 encoded value of consumer/secret key pair provided by AppManagerthe App Manager.  
  • In payload - the payload , it need needs to send the grant _ type and the scope value. Grant _ type need to be set as “SAML2”SAML2.  Scope Scope should contain the value of ‘samlTokenId’ samlTokenId cookie and apiAlias as comma -separated strings. 
  •  "http://localhost:8280/token" is httpClient.doPostthe token API provided by AppManager. It need to change with the App Manager. Change it with the define port offset accordingly.

Prerequisites

(1). Configure the Identity Provider use by the AppManager.

 AppManager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. We need to create a service provider in IDP for each web application that published through the AppManager (i.e to get the SAML SSO authentication for web applications).

If a particular web application has registered to obtain a oauth2 token using the SAML response generated from the SSO authentication, then when creating the service provider for this web application, it need to give the following mandatory details in service provider.

 "Enable Response Signing", "Enable Assertion Signing", "Enable Audience Restriction". We need to add API provider’s token endpoint as a Audience Restrict parameter.

 See the below image of 'configuring IS'.

Image Removed

(2). Configure API-Manager (API Provider)

 

In order to provide OAuth token using the SAML token provided by the IDP of AppManager (WSO2IS), APIManager need to have included, IS as a trusted IDP provider. See the below image of "configure APIManager".

Image Removed

...

Note

For more information on obtaining an OAuth2 token by providing a SAML token, see the Pizza Shack sample.