There can be web applications that calling to OAuth secured APIs internally. Once web applications are published and access through the AppManager gateway, user is authenticated using the SAML SSO. In this feature, we can use the same SAML token generated by the AppManager gateway and get an oauth2 access token by calling to the token endpoints use by these APIs.
The diagram below depicts this scenario:
How to publish a web application that need to obtain an oauth2 access token ?
[1] If a particular web application need accessing oauth secured APIs internally, then it need to provide the details of these APIs (i.e. URL of token endpoint used by the APIs, API Consumer Key, API Consumer Secrete and alias name for API ) when publishing the web application in AppManager.
See the image bellow.
Once the web application is created on App Manager, it will wrap these details and generate a new consumer/ secret key pair for web application [WCk1, WCSk1]. Actual web application can use this consumer/ secret key pair generated by the AppManager publisher, when it need to get an access token to call the registered APIs.
You can see the consumer/secret key pair generated by AppManager, once you go to the overview page of published application. See the image bellow.
xxxxxx insert image here xxxxxx
[2] AppManager itself provides a token API. Web applications need to call this token API with the consumer, secret key pair [WCk1, WCSk1] given by the AppManager, when they need to get an access token for a particular API.
Note: This token API is deployed in the location of {AppM_HOME}/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml. If AppManager is running with some port offset, then the port defined inside _TokenAPI_.xml need to be changed accordingly.
Example of invoking AppManager Token API from Web-App to get an access token is given below.
String apiAlias = "pizzashack";
String applicationToken = base64Encode(WCk1 + ":" + WCSk1);
String payload = "grant_type=SAML2&scope=" + samlTokenId + "," + apiAlias;
httpClient.doPost("http://localhost:8280/token", applicationToken, payload, "application/x-www-form-urlencoded");
- apiAlias need to be the alias name given when registering the API details in AppManager publisher.
- applicationToken is the base64 encoded value of consumer/secret key pair provided by AppManager.
- In the payload, it need to send the grant_type and the scope value. Grant_type need to be set as “SAML2”. Scope should contain the value of ‘samlTokenId’ cookie and apiAlias as comma separated strings.
- "http://localhost:8280/token" is the token API provided by AppManager. It need to change with port offset accordingly.
Prerequisites
(1). Configure the Identity Provider use by the AppManager.
AppManager uses WSO2 Identity Server as the default service provider for SAML SSO authentication. We need to create a service provider in IDP for each web application that published through the AppManager (i.e to get the SAML SSO authentication for web applications).
If a particular web application has registered to obtain a oauth2 token using the SAML response generated from the SSO authentication, then when creating the service provider for this web application, it need to give the following mandatory details in service provider.
"Enable Response Signing", "Enable Assertion Signing", "Enable Audience Restriction". We need to add API provider’s token endpoint as a Audience Restrict parameter.
See the below image of 'configuring IS'.
(2). Configure API-Manager (API Provider)
In order to provide OAuth token using the SAML token provided by the IDP of AppManager (WSO2IS), APIManager need to have included, IS as a trusted IDP provider. See the below image of "configure APIManager".
