Securing APIs

APIs published on the WSO2 API Gateway are secured using OAuth2.0 by default. Any client application invoking a secure published API needs to have a valid subscription to the particular API and present a valid OAuth2.0 Access Token to the API Gateway. Please see steps 7 and 8 of the quick start guide to understand how you can subscribe an application to an API and how to get credentials for your application.

Once you have the got the required credentials, namely the consumer key and consumer secret, for your application, you (application users) can get access tokens to invoke APIs that are subscribed to the particular application. To understand how you can get tokens for different types of applications, see Token API. 

Authentication

HTTP Authorization header is the most common method of providing authentication information for REST APIs. The application needs to have the access token in an authorization header for the client application to authenticate the API that is being accessed. The format of the header is as follows.

Customizing the authorization header

If the value of the authorization header needs to be changed due to organizational policies, legacy APIs, or for any other reason, it can be done at three levels in WSO2 API Manager (WSO2 API-M) as described below.

Server wide customization

Follow the instructions below to change the value of the authorization header at the server level configurations:

1. Navigate to the <API-M_HOME>/repository/conf/api-manager.xml file and make the following changes.

   1. Uncomment the <AuthorizationHeader> section and add the customized authorization header.
      You need to make this change on all the profiles of WSO2 API Manager.

   2. Add the custom authorization header to the list of allowed headers defined in the <CORSConfiguration> <Access-Control-Allow-Headers> section.
2. Restart the WSO2 API Manager server to reload the changes.
3. If you have already published APIs, sign in to the API Publisher and republish those APIs.

Tenant wide customization

Each tenant can define their own name for the authorization header by following the instructions below:

1. Sign in to the WSO2 API Manager Management Console with your tenant credentials. 
   https://<server-host>:9443/carbon


   For information on creating a tenant, see Managing Tenants.

2. Click Main, then click Browse which is under Resources.
   
3. Enter /_system/config/apimgt/applicationdata/tenant-conf.json as the location and click Go to access the tenant-conf.json file that is in the WSO2 Registry.
4. Click Edit as text to be able to edit the JSON file.

5. Add the following configuration with the customized authorization header to the JSON file and save the file.

6. If you have already published APIs, sign in to the API Publisher using your tenant credentials and republish those APIs.

Per API customization

The API Publisher application allows an API Developer or Product Manager to specify the name of the authorization header when creating or modifying an API.

Follow the instructions below to add a customized authorization header for an API:

1. Sign in to the Publisher.
   https://<server-host>:9443/publisher

2. When creating or updating an API, define the customized authorization header in the Manage tab.
3. Save and Publish the API.