/
Authenticating and Authorizing REST APIs

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Authenticating and Authorizing REST APIs

Jan 10, 2022

This section guides you through securing REST services and how requests to REST APIs are authenticated and authorized in WSO2 Identity Server.  

The requests that are sent via REST APIs are intercepted by tomcat valves and authenticated and authorized by an OSGI service. There are two OSGi services that provide the authentication and authorization service based on its own handlers.

  • WSO2 Identity Server supports the following authentication handlers

    • OAuth2AccessTokenHandler

    • ClientCertificateBasedAuthenticationHandler 

    • BasicAuthenticationHandler 

  • The authorization handler is based on the permission specified against a particular user role.  

You can write your own handlers for both authentication and authorization and register them in OSGI.

Let's learn how to authenticate and authorize REST APIs: 

  1. To enable the intercepting of services:

    1. Open the catalina-server.xml file found in the <IS_HOME>/repository/conf/tomcat directory. 

    2. Uncomment the following valves found under the <Engine name="Catalina"> tag.    

      <!-- Authentication and Authorization valve for the rest apis and we can configure context for this in identity.xml --> <!--Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/> <Valve className = "org.wso2.carbon.identity.authz.valve.AuthorizationValve"/-->

  2. To specify the resources that you want to secure:

    1. Open the identity.xml file found in the  <IS_HOME>/repository/conf/identity directory. 

    2. Specify the resource that you want to secure under the <ResourceAccssControl> as given below. 

      Example:

      <ResourceAccessControl> <Resource context="/api/identity/*" secured="true" http-method="all"> <Permissions>/permission/admin/login</Permissions> </Resource> </ResourceAccessControl>

  3. To configure intermediate certificate validation, configure the following in the identity.xml file as given below. 

    Example:

    <IntermediateCertValidation enable="true"> <IntermediateCerts> <CertCN>wso2isintcert</CertCN> <CertCN>localhost</CertCN> </IntermediateCerts> <ExemptContext> <Context>scim2</Context> </ExemptContext> </IntermediateCertValidation>