This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

WSO2 API Cloud allows you to perform all the operations which you do in the API Store, remotely done through an external application which you have written and hosted in your environment. This feature helps you if you are interested in having a highly customizable API Store where the total control of all aspects of the API Store will be in your hands. This section describes how you can design and build up your own API Store to run against WSO2 API Cloud using the WSO2 Store REST APIs. This includes the best practices and an understanding of a secure design and architecture and makes building up your own API Store a hassle free experience.

Guidelines for developing the middle tier

We suggest having a separate backend component written, to handle the authorization token generation, when developing the custom API Store application in the integration cloud.This backend component can be written in MSF4J or any other language of your choice.

The main responsibilities of the middle tier are listed below. All the calls which reach the front end goes to WSO2 through this intermediate middle tier.

  • Calling the WSO2 OAuth2 endpoint(key generation service) to retrieve the access token.
  • Requesting for refresh tokens once the current tokens expire.
  • Handling the secure invocation to the WSO2 Cloud REST APIs.

The diagram below illustrates the structure of this middle tier application and how to use an external store application to consume the WSO2 REST APIs. The middle tier also known as the backend application will be responsible for handling the operations shown inside the red box. 

The following are the three middle tier functionalities handled by the middle tier(backend application). Make sure that all these functions are implemented when you write your backend application.

  1. Invoking Admin REST APIs


    (a) Password Grant
    (b) Refresh Token Grant 
  2. Logging in and storing subscriber access tokens
  3. Invoking Store REST APIs



To secure the connection between the front end application and the middle tier application, enable CORS for the backend application. When enabling CORS you need to make sure to only allow the host of your front end application so that users accessing from other hosts are unable to attack your system. 


REST API invocation guidelines

Design of invoking the WSO2 REST endpoints using the External API Store application

This section explains the main concepts behind invoking the WSO2 API Cloud Subscriber Authentication and Registration REST APIs. All the REST APIs which are exposed to be consumed are authenticated using the password grant type. The password grant type requires to pass credentials to the token endpoint in order to retrieve a valid OAuth2 token. A predefined set of admin user credentials is used if the username and password are not provided through the frontend store application. See REST APIs to be invoked with an Admin token for a list of  REST APIs that require the admin user’s credentials when making the calls to the token endpoint.


REST APIs to be invoked with an Admin token

  • Subscriber Invitation API
  • Subscriber Invitation Verification API
  • Subscriber Registration API
  • Reset Password Initiation API
  • Reset Password Verification API
  • Reset Password Confirmation API

REST API Endpoints to be invoked with subscriber access token.

This token is received and stored in the session when the subscriber logs in to the front end app.

Prerequisite - Storing the client id and client secret to make requests

This is also known as dynamic client registration. You need to have an OAuth2 token to invoke the REST APIs. You can obtain the OAuth2 token by passing the client id and client secret, which can be retrived by calling the dynami  client registration endpoint. The steps shown in the above diagram are described below.

  1. The admin user needs to send a request to the WSO2 Dynamic Client Registration Endpoint manually. For more details on the request format, see the Store REST API documentation. You can use curl or a simple REST client to send this request.

    Make sure to use the email of the admin user in the payload. Invoke the dynamic client registration endpoint with the credentials of an admin user to obtain the client id and secret for the admin user, since you need a user with more privileges to perform these actions, due to security concerns.

  2. The dynamic client registration endpoint will return the client id and client secret of the admin user in the response. A sample response is given below.

    {
        "callBackURL": "www.google.lk",
        "jsonString":
        "{
        \"username\":\"email_username@Org_key\",
        \"redirect_uris\":\"www.google.lk\",
        \"tokenScope\":[Ljava.lang.String;@3a73796a,
        \"client_name\":\"admin_rest_api_store\",
        \"grant_types\":\"authorization_code password refresh_token iwa:ntlm
        urn:ietf:params:oauth:grant-type:saml2-bearer client_credentialsimplicit\"
        }",
        "clientName": null,
        "clientId": "HfEl1jJPdg5tbtrxhAwybN05QGoa",
        "clientSecret": "l6c0aoLcWR3fwezHhc7XoGOht5Aa"
    }
  3. Store the client id and client secret in your backend application as a configuration reference.

We recommend the best practice of storing the obtained client id and the client secret as environment variables within your backend application, as these are reused for all other API calls listed in the previous section. You need to only do this step once manually and store them. Read the FAQ on how to use environment variables in the integration cloud. Alternately, you can choose to use a property file or other secure mechanisms to store this information.

Making requests to the REST APIs through the external custom Store application.

Admin REST APIs and subscriber login functions

Before you begin...

Make sure you have completed the prerequisite. The client id and secret of the admin user needs to be retrieved only once and stored within your backend application. If you have done this already, proceed with the steps listed below.


The diagram above explains the concept behind invoking the REST APIs listed above through the frontend app (Store app) and also covers the flow of the login call done to get the user’s access token. 

 Expand to see the description of the numbered steps in the diagram.

1. An external user makes a request to the frontend store app which corresponds to one of the REST APIs in the list above or a user login from the front end app.

2. The Custom API Store retrieves the parameters which the user inputs and sends them over to the middle tier application. The inputs which are needed to be collected for each of the REST API from the frontend app can be found in the documentation guide API Cloud Subscriber Authentication and Registration REST API - V6 - 23%2F02%2F2018.pdf. If it is the login operation by the subscriber then you need the username and password of the user.

3. Before the backend app (middle tier app) can call the WSO2 REST API endpoints, an OAuth token needs to be retrieved(access token).

In this step we will retrieve the previously stored client id and secret of the admin user.

4. In this step we will be returned with the client id and secret which we have stored. As an example we can store it as an environment variable of the middle tier application which we are using in order to proceed to the step 5.

5. This step is the request to get the access token using the predefined client id and secret.

Case (i) If you are invoking one of these APIs which require you to invoke the API as an admin user then you need to have stored credentials of the admin user for this invocation within your middle tier application.

Case (ii) If you are invoking the login API then you need to get the username and password of the end user.

5.1. The API Cloud provides a Token API that you can use to generate and renew user and application access tokens. You can refer a detailed explanation of the flow in the next section.
In order to get the token you can use the following grant type which is the most recommended. But based on your requirement you can use other grant types as well.

Password grant type - In addition to the client id and secret you need the username and password to generate the access token. If it is an admin operation you need the stored admin credentials else you need the user credentials to be passed from the front end application.

5.2. The access token has a predefined expiry time ( default 3600 seconds). You need to refresh this token, when the expiry time is exceeded or you will be unauthorized. You need the refresh token received from the response of step 5.1 to invoke this. Note that this step is only needed when your access token expires.

Benefits of using Refresh tokens when access tokens expire

The reason for extracting the refresh token is when the access token expires you need the refresh token received in this request to get a new access token. You can avoid repeatedly calling this endpoint and pass the credentials of the user to obtain the refresh token. You can simply make the request with the refresh token received in calling the endpoint 5.1

6.1 This is the response received from calling the step 5.1. The response of the Token API is a JSON message. You can extract the access token and refresh token from this JSON response.

6.2 This is the response received from step 5.2. You can extract the access token from this step received by the refresh token grant type.

7.1. (Only for login calls of end users) For the login call done on behalf of the subscriber in order to get the user access token we need to make sure to save the returned access and refresh tokens in the cache against the user’s email. This is essential in order to call the Store APIs.

7.2. (Only for admin REST APIs) You need the access token retrieved in step 6 in order to set it to the HTTP Authorization header to access the API. The token can be received from step 6.1. If the token from step 6.1 is expired then the token can be retrieved from 6.2. Set this token as the Authorization header of the API request in this step.

E.g., The token from step 6.1 - xxghh-234-874783-shdj89s-9348798
Header value needs to be Authorization : Bearer <xxghh-234-874783-shdj89s-9348798>

In addition to this you need to pass the requested payload format to invoke the WSO2 REST endpoint. For the payload format, see Subscriber Authentication and Registration REST APIs. And the response formats for the Store APIs can be found here.

8. The response returned from the WSO2 REST APIs will be received in this step.

9. Pass that message to the front end Store application and display it to the user.


Store APIs invoked by subscribers

Before you begin...

Make sure you have logged the user(subscriber) in and then stored the token in the cache or any other storage mechanism against the user’s email.

The diagram below explains the the concept behind invoking the REST APIs through the front end app (Store app) provided that the user’s access token has been obtained using the logic call before this. 

 Expand to see the description of the numbered steps in the diagram.

1. An external user makes a request to the frontend store app which corresponds to one of the REST APIs invoked with the subscribers access token.

2. The Custom API Store retrieves the parameters which the user inputs and sends them over to the middle tier application.

3. Once the request reaches the middle tier it will retrieve the access token of this user obtained through the login call and stored in the session. If this is not available, a login call needs to be made to obtain it.

4. The middle tier application uses this token retrieved from the session to call the WSO2 Store REST API endpoints on behalf of the user.

5. The Store REST APIs then return the response back to the middle tier application

6. The middle tier application forwards this response to the front end store app which displays it to the end user.

Access token generation and regeneration

The diagram below explains the how the access tokens, used to invoke the REST APIs, are generated/regenerated.

(a) Obtain an access token using the password grant

(b) Obtain an access token using the refresh token grant

(c) The recommended path when you receive an unauthorized response. This would imply that the token has expired.

(d) This method can also be used when an unauthorized response is received while invoking the REST APIs. However (c) is recommended.


If you have any questions, please write to us at cloud@wso2.com.

  • No labels