2-legged OAuth for Securing a RESTful Service

This page consists of the procedure to secure a RESTful service with 2-legged OAuth using WSO2 Identity Server and WSO2 ESB.

Download WSO2 Identity Server and WSO2 ESB.
Extract the WSO2 Identity Server and WSO2 ESB ZIP files into a directory in your file system. Call them IS_HOME and ESB_HOME respectively.
Start WSO2 Identity Server and WSO2 ESB by running wso2server.sh (in unix) or wso2server.bat (in windows) which can be found in IS_HOME/bin and ESB_HOME/bin directories respectively.

If both servers are running in localhost, change the default ports. For example, change the WSO2 ESB https port to 9445 and http port to 9765 (default 9443 and 9763 respectively) by configuring <Ports><Offset> in carbon.xml which can be found in ESB_HOME/repository/conf.
Go to WSO2 IS Management Console by pointing your browser to https://localhost:9443/carbon/.
Register a user with WSO2 Identity Server by providing a username and password.
Download sample OAuth client source code from following SVN location:
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.samples.oauth/
Call the sample folder as SAMPLE_HOME.
Open the sample client project with your preferred IDE and add the Jars in the <IS_HOME>/repository/components/plugins directory to a sample client project class path.
Go to the ESB Management Console by entering the following your browser: https://localhost:9445/carbon/.
Sign-in as an admin by providing a username and password.

Create a proxy service in WSO2 ESB by adding following configuration in to the service bus configuration which can be found under Manage > Service Bus > Source View. Alternatively, simply update the synapse configuration of ESB with the content in org.wso2.carbon.identity.samples.oauth/src/main/resources/synapse.xml.

<proxy name="OAuthProxy" transports="https http" startOnLoad="true" trace="disable">
        <target>
            <inSequence>
                <oauthService remoteServiceUrl="https://localhost:9443/services/"/>
                <send>
                    <endpoint>
                        <address uri="http://localhost:8280/services/echo" format="rest"/>
                    </endpoint>
                </send>
            </inSequence>
            <outSequence>
                <send/>
            </outSequence>
        </target>
</proxy>

Please note that remoteServiceUrl contains the host name and the port that WSO2 Identity Server is running.

Update the sample client according to your configurations.
1. Open the file <SAMPLE_HOME>/src/main/java/org/wso2/carbon/identity/samples/oauth/TwoLeggedOAuthDemo.java
2. Update the constants IDENTITY_SERVER, ESB_SERVER, USER_NAME and PASSWORD according to your configurations.
3. Update the following property with the correct path to wso2carbon.jks file.
```
System.setProperty("javax.net.ssl.trustStore", "<IS_HOME>/repository/resources/security/wso2carbon.jks")
```
Run the sample client.

The following steps iterate what is occurring during this process:

The user is registered with WSO2 Identity Server.
The consumer secret is registered with WSO2 Identity Server.
1. Invoke the AuthenticationAdmin service and the user is authenticated with the WSO2 IS entity server
2. Invoke the OAuthAdminService service and register the consumer secret.
The consumer key is set as the username of the user.
Generate OAuth Authorization header and sign it with the OAuth Consumer Secret.
Invoke the proxy service which is deployed in ESB.
OAuth mediator in ESB invokes the OAuthService in WSO2 Identity Server to verify that the consumer is valid.
Verify consumer key (check if the user is a valid user) and verify the oauth_signature value using the consumer secret which has been registered by the user.
If signature verification is done, the request is authenticated and sent to the RESTful service