Versions Compared

Old Version 7

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There can be web applications internally calling the OAuth secured APIs. Once web Once Web applications are published and accessed through the AppManager WSO2 App Manager gateway, user is authenticated using the SAML SSO. In . However, there can be Web applications which internally call OAuth-secured APIs. In this feature, we you can use the same SAML token generated by the WSO2 App Manager gateway, and get an OAuth2 access token by calling the token endpoints used by these APIs.

Table of Contents
maxLevel3

The diagram below  The below diagram depicts this scenario.

Obtaining an Auth2 token by providing a SAML token flow diagramImage Modified

Prerequisites 

...

















...

Publishing the Web application for obtaining an OAuth2 access

...

Configuring the identity provider of App Manager

App Manager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. You need to create a service provider in IDP for each web application that is published through the App Manager (i.e to get the SAML SSO authentication for web applications).

token 

If a particular web application is registered to obtain a OAuth2 token using the SAML response generated from the SSO authentication, when creating the service provider for this web application, it needs to give the following mandatory details of the service provider.

  • Enable Response Signing
  • Enable Assertion Signing
  • Enable Audience Restriction
Info

You need to add API provider’s token endpoint as a Audience Restrict parameter.

 Configure WSO2 Identity Server as follows.

Image Removed

Configuring the API provider of App Manager

WSO2 App Manager uses WSO2 API-Manager as the API Provider. In order to provide a OAuth token using the SAML token provided by the IDP of App Manager (WSO2 IS), APIManager needs to include, IS as a trusted IDP provider. Configure WSO2 APIManager as follows.

Image Removed

...

 If a particular web application needs accessing OAuth Web application needs to access OAuth-secured APIs internally, it needs to provide the following OAuth parameters of the APIs when publishing the web application in AppManager, as depicted belowin the Step 4 - Advanced Configuration of creating the Web application.

  • API Token Endpoint - URL of token endpoint used by the APIs.
  • API Consumer Key - the consumer keys of the OAuth APIs.
  • API Consumer Secret the consumer secret keys of the OAuth APIs.
  • API Name alias name for the APIs.

...

Once the web Web application is created on App Manager, it will wrap these details and generate a new consumer/secret key pair for the web Web application [WCk1, WCSk1]. Actual web Web application can use this consumer/secret key pair generated by the App Manager publisherPublisher, when it need needs to get an access token to call the registered APIs. 

 You can see  Follow the steps below to view the consumer/secret key pair generated by WSO2 App Manager, 

  1. Log in to the

...

 xxxxxx insert image here xxxxxx

Invoking App Manager Token API from web app

  1. App Publisher of WSO2 App Manager using the following URL with admin/admin credentials: http://<IP_ADDRESS>:9763/publisher
  2. Click on the Pizza Shack application in the Web applications list.
  3. In the the Overview section of the Web application, click OAUTH Parameters tab.
    You can see the consumer/secret keys generated for it in WSO2 App Manager as follows.
    Image Added

Invoking WSO2 AppM token API from the Web app

WSo2 App Manager itself provides a token API. Web applications need to call this token API with the consumer/secret key pair [WCk1, WCSk1] provided by the App Manager, when they need to get an access token for a particular API. 

...

Use the following parameters and values to invoke AppManager the App Manager Token API from the web Web application, to obtain an access token.

Code Block
languagejava
String apiAlias = "pizzashack";
String applicationToken = base64Encode(WCk1 + ":" + WCSk1);
String payload = "grant_type=SAML2&scope=" + samlTokenId + "," + apiAlias;
httpClient.doPost("http://localhost:8280/token", applicationToken, payload, "application/x-www-form-urlencoded");

 
  • apiAlias - the alias name given when registering the API details in the App Manager publisher.  
  • applicationToken - the base64 encoded value of consumer/secret key pair provided by the App Manager.  
  • String payload - the payload needs to send the grant type and the scope value. Grant type need to be set as SAML2.  Scope Scope should contain the value of samlTokenId cookie and apiAlias as comma -separated strings.  
  •  httpClient.doPostthe token API provided by the App Manager. Change it with the define port offset accordingly.

...

Note

For more information on obtaining an OAuth2 token by providing a SAML token, see the Pizza Shack sample.