Accessing API Manager 4.3.0 APIs using Tokens Generated via WSO2 Identity Server 7.0.0 and with Federation

This article will be talking about two ways to configure the WSO2 Identity Server (IS) with WSO2 API manager (APIM) to use the tokens generated from the WSO2 IS.

1. Configuring WSO2 IS as the Key Manager and use the token directly with the APIM gateway

2. Configuring WSO2 IS as an External IDP and use the JWT grant type to get another token from APIM to access the gateway

3. With having the external IDP configuration, use the Dev portal subscribed application to federate to Identity server and login to get the token from API Manager

Note: For this article, I will be using a simple Ballerina service as the backend for the APIs which are exposed. It is possible to use some other service to test the scenario as well. The Ballerina code is available in the Github repository. Once the ballerina is installed, start the service with bal run which the services will be available in http://localhost:9091/petstore/rest/

Steps will be as follows

1. Configuring API Manager: to create, associate scopes with API, deploy and publish APIs
2. Use the tokens created using the external KM and use directly in the API Manager Gateway
3. Use the tokens created using the external IDP and exchange to token to be used in the API Manager Gateway via JWT Grant

Configuring API Manager

Creating an API and publishing

This is an API that will be created so that we will be using to test the scenarios. Please note there are scopes that are configured as well.

Adding scopes to the API resources

Create Scopes (add_pet and update_pet) as local scopes to the API

Associate add_pet to the /rest/addPet resource and update_pet to /rest/updatePet Resource.

Note: Dont associate any scopes to the /rest/test resource. We can use it to check the API is working without any scopes.

Once it is done, it is possible to save and deploy the API. This will deploy the API in the gateway but it will still not be visible to the Application Developers.

Inorder to make the API visible to the Application Developer, the API needs to be published. It can be done via the “Lifecycle” section in the Publisher portal.

Check more information in link for deploying an API and link for publishing an API.

1. Use the tokens created using the external KM and use directly in the API Manager Gateway

Configure the External Key manager as per the given instructions in the official documentation.

Create a Dev Portal Application

Navigate to https://localhost:9444/devportal and create an application

Once the application is created, goto the subcription tab and subscribe to the desired API

Afterwards, it is needed to generate the client id and secret, so that it can be used to Authenticate the user and generate a token.

Once you generate the keys, you will be able to see the similar application with the same client id and secret is created in the WSO2 IS side as well,

Now it is possible to configure the application in the Identity server side as explained in the article if it is needed to send additional scopes and claims.

Note: Once the User attributes are selected and the application is updated, the API Resource Authorization tab will be visible to associate scopes to the application

Once the token is generated from the IS, it is possible to use the token to directly access the API resources in the API Manager.

Note: Since we have added scope validation in the API publisher, if the token doesn't contain the valid scopes, the authorization will fail for some resources

Generate the token using the detailed steps described in the article. And Access the API using the following command.

Since this is a new application that is created, when logged in, the user will be asked to provide consent to read the user attributes by the application.

Once the consent is given, the authorization server will provide a token. Note the add_pet scope in the token.

This token can be used directly to access the API via the WSO2 API Manager Gateway.

curl --location --request PUT 'https://localhost:8244/petstore/1.0.0/rest/addPet' \
--header 'accept: */*' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ4NXQiOiJP*******LC60vZiC_8krUQJ7RAucg' \
--data '{"name": "drake"}'

Which it will be responded with the following.

Successfully added the petstore for pet: drake

But when trying to access the “updatePet” resource with the same API, the response will be as follows since the use doesnt have permission to access the particular resource.

{
    "code": "900910",
    "message": "The access token does not allow you to access the requested resource",
    "description": "User is NOT authorized to access the Resource: /rest/updatePet. Scope validation failed."
}

2. Use the tokens created using the external IDP and exchange to token to be used in the API Manager Gateway via JWT Grant

NOTE: To use the JWT grant with the scopes, the API Manager needs to be started with ./api-manager.sh -DretrieveRolesFromUserStoreForScopeValidation=true. Or else when the JWT grant is invoked with scopes “[2024–12–17 22:42:45,045] ERROR — OAuth2Service Error occurred while issuing the access token for Client ID : B1oduaUYQG7da9JLhXf0p4_pD4Ma, User ID null, Scope : [add_pets, openid] and Grant Type : urn:ietf:params:oauth:grant-type:jwt-bearer
java.lang.NullPointerException: null” will occur.

Configure External IDP

Configure the External IDP as instructed in the article (even though it is mentioned here, No need to configure the claim configurations) or as per the official documentation.

Make sure to add the client id and the secret in the application created in the WSO2 Identity Server when creating the IDP configuration which you can retrieve from the application view.

Make sure to add https://localhost:9445/oauth2/token as the issuer name as above.

Add the other relavent information and register the IDP.

Create a Dev Portal Application

Navigate to https://localhost:9444/devportal and create an application

Once the application is created, select the “jwt” grant type and “generate keys”

Once you generate the keys, the client credentials will be available in your screen and make note of it so that it is needed in base64 encoded format to request the token using JWT grant type from api manager.

Navigate to subscription section in the Application and subscribe to the relavent API.

Get Access Token from the External WSO2 IS

Refer to the “Test the application with Authentication Code Grant and check all necessary information is available in the token” section in the article to retrieve a token via Postman Client.

Which you will get a token with all the necessary information including the “add_pets” scope.

Exchange the token from API Manager for the Gateway trusted token via the JWT grant type using the following command. Make sure to provide base64encode(clientId:clientSecret) from the Application created from the dev portal as the value for Authorization: Basic in the curl command.

curl --location 'https://localhost:9444/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic QjFvZHVhVV*******zFCc1lh' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
--data-urlencode 'assertion=eyJ4NXQjolzXJ5b25lI*************qhRa_3oSvzShJ_WA
'

This will result you with a access token as follows which you can use to access the APIs subscribed by the relevant application.

3. With having the external IDP configuration, use the Dev portal subscribed application to federate to Identity server and login to get the token from API Manager

Configuring Identity Server

Configure the Service Provider in the Identity Server as per the article “https://rami-desilva.medium.com/wso2-identity-server-7-0-0-as-the-identity-provider-for-your-wso2-api-manager-4-3-0-portals-db10a4e60452”

After configuring the IS, use the following commands to test the service provider in the IS, whether it responds with the correct claims.

Following command in the browser to get the code

https://localhost:9445/oauth2/authorize?response_type=code&client_id=dMXTf8PQgOIQfhg97nwEcOhXH9Ea&redirect_uri=http://localhost:3000/sample-app&redirect&scope=openid groups profile add_pet update_pet

And the following to generate the token

curl --location 'https://localhost:9445/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' \
--header 'Authorization: Basic ZE1YVGY4UFFnT0lRZmhnOTdud0VjT2hYSDlFYTpOZlNFNkdQdU1oOFhGNzRmb1B2dXFnbTBHQUpmTFRNMEZxYkl4VEEyUHFRYQ==' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=9c5085f4-fc53-3b37-8207-468e75eaa448' \
--data-urlencode 'redirect_uri=http://localhost:3000/sample-app'

The decoded token received should contain something similar to the following.

Configuring API Manager

Add a role in the API Manager called user so that it can be mapped with the information received in the token via the federation.

There are some of the configurations in the IDP which are useful when the user is getting the token, which is where the roles mappings are available and the needed scopes needed from the external IDP

And the changes to be done are

1. select the dev portal application that is created and select Federated Authentication to the IDP configured which is wso2is700
2. If there are claims that needed by the application, add those using the add claim URI

With the following cURL command, the use can get the access code, which mentions that groups claim is also needed.

https://localhost:9444/oauth2/authorize?response_type=code&client_id=75L89l_ADUmUJH0S2l7VAxKR1Loa&redirect_uri=http://localhost:3000/home&redirect&scope=openid groups profile add_pet update_pet

Afterwards, when the APIM authorization endpoint (https://localhost:9444/oauth2/authorize)is invokde as similar to the follows, it will get redirected to IS (https://localhost:9445/authenticationendpoint/login.do)and prompt the login screen.

Once the correct login credentials are entered, the authorization code will be available.

And also, the user should be provisioned to API Manger with the assignment of the role as well.

The following cURL command can be used to generate the token to invoke the API.

curl --location 'https://localhost:9444/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' \
--header 'Authorization: Basic NzVMODlsX0FEVW1VSkgwUzJsN1ZBeEtSMUxvYTp3bUhNU2FHX1NoVTN2N05JN0todW9INjZuRndh' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=6679d4e0-3045-33a7-86a9-fc57e9252e10' \
--data-urlencode 'redirect_uri=http://localhost:3000/home'

In this article, it was mentioned how the External WSO2 Identity Server can be used to generate token to access the WSO2 API Manager gateway.