Securing APIs
- Former user (Deleted)
APIs published on the WSO2 API Gateway are secured using OAuth2.0 by default. Any client application invoking a secure published API needs to have a valid subscription to the particular API and present a valid OAuth2.0 Access Token to the API Gateway. Please see steps 7 and 8 of the quick start guide to understand how you can subscribe an application to an API and how to get credentials for your application.
Once you have the got the required credentials, namely the consumer key and consumer secret, for your application, you (application users) can get access tokens to invoke APIs that are subscribed to the particular application. To understand how you can get tokens for different types of applications, see Token API.
Authentication
The HTTP Authorization header is the most common method of providing authentication information for REST APIs. The application needs to have the access token in an authorization header for the client application to authenticate the API that is being accessed. The format of the header is as follows.
Customizing the authorization header
If the value of the authorization header needs to be changed due to organizational policies, legacy APIs, or for any other reason, it can be done at three levels in WSO2 API Manager (WSO2 API-M) as described below.
Server wide customization
Follow the instructions below to change the value of the authorization header at the server level configurations:
- Navigate to the
<API-M_HOME>/repository/conf/api-manager.xmlfile and make the following changes.Uncomment the
<AuthorizationHeader>section and add the customized authorization header.
You need to make this change on all the profiles of WSO2 API Manager.Add the custom authorization header to the list of allowed headers defined in the
<CORSConfiguration> <Access-Control-Allow-Headers>section.
- Restart the WSO2 API Manager server to reload the changes.
- If you have already published APIs, sign in to the API Publisher and republish those APIs.
Before you begin, deploy the sample PizzaShackAPI as explained in the Quick Start Guide, as the following example is based on that API.
Note that the customized authorization header appears in the Store UI as well.
Tenant wide customization
Each tenant can define their own name for the authorization header by following the instructions below:
The tenant wide authorization header customizations take precedence over the server wide authorization header customizations.
Sign in to the WSO2 API Manager Management Console with your tenant credentials.
https://<server-host>:9443/carbon
For information on creating a tenant, see Managing Tenants.
- Click Main, then click Browse which is under Resources.
- Enter /
_system/config/apimgt/applicationdata/tenant-conf.jsonas the location and click Go to access thetenant-conf.jsonfile that is in the WSO2 Registry. - Click Edit as text to be able to edit the JSON file.
Add the following configuration with the customized authorization header to the JSON file and save the file.
If you have already published APIs, sign in to the API Publisher using your tenant credentials and republish those APIs.
Before you begin, deploy the sample PizzaShackAPI as explained in the Quick Start Guide, as the following example is based on that API.
Note that the customized authentication header appears in the Store UI as well.
Per API customization
The API Publisher application allows an API Developer or Product Manager to specify the name of the authorization header when creating or modifying an API.
The customized authorization header defined per API takes precedence over the customized authorization headers that are defined server and tenant wide.
Follow the instructions below to add a customized authorization header for an API:
- Sign in to the Publisher.
https://<server-host>:9443/publisher When creating or updating an API, define the customized authorization header in the Manage tab.
- Save and Publish the API.