I want to connect my Secure rest API to the wso2 API manager. how I can header the Authorization key to the wso2 API manager.
You can enable endpoint security to pass Authentication data to your secured backend. It supports Basic Auth, OAuth, and Digest Auth. Please refer to this.
Related
I created an API Gateway to allow a certain client to access specific routes in my app engine. The client prefers to authenticate using Pre-Shared Key (PSK) over TLS. Is it possible to do that in a Google API gateway?
With the GCP API gateway, you have a limited number of built-in authentication methods. I don’t think we can authenticate using Pre-Shared Key (PSK) over TLS. In order to authenticate using the GCP API Gateway you have to use one of the alternate authentication methods provided in the documentation.If you think it is valid request for GCP API gateway you may raise a Feature request at issue tracker
I know one of API Gateway offers is to provide a security layer of any backend APIs. But how if the case is the backend has its own authentication already (let say api key, jwt or other)? What is the better approach / best practice:
Modify those backend APIs to become "plain API" (without any auth), so will rely only on API Gateway auth (OAuth2)
Keep the backend auth as it is, but then create a microservice that will act as wrapper API to handle that backend auth.
The goal is to prevent double authentication & give the same experience to the clients where they only need to pass 1 authentication which is by the API Gateway. Thank you!
I would keep the backend's API security. There is nothing wrong with having secured communication behind an API gateway. As a matter of fact, I recall this being a recommended approach.
To prevent double authentication, would it be a suggestion to define a public (unsecured) end-point on the API gateway to access the authentication end-point of the authentication server used by your backend services. The client receives the authentication token from that authentication server and the API gateway passes the token through to the API of your backend services.
Another possibility could be to authenticate towards the API gateway but let the API gateway use the same authentication server as your backend services. Some gateways allow you to forward the authentication to an authentication server somewhere outside of the API gateway.
I would like to design a micro-services architecture with IBM connect where the outside clients need to pass a Bearer access token in an Authorization header (OAuth 2) and the gateway will pass a stored JWT (generated and stored during authorize call) with the authorized user's claims to the internal APIs.
Is there such a built-in configuration?
(For reference, WSO2 provides this exact behavior: https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT)
There is not such built in feature in IBM API Connect.
A possible implementation for the scenario that you mention, in IBM API Connect, could be:
An OAuth Provider API that contains the authorization and token endpoints of an OAuth flow (IBM API Connect has a built-in OAuth server) Implement an OAuth API Provider
The API that acts as a proxy of the backend microservice, secured by the OAuth provider API created before (so that way, access tokens are required to send requests to this API). In this API, implement a jwt-generate policy (which is a built-in policy in IBM API Connect) to generate JWT tokens. jwt-generate built-in policy
In this implementation you can add custom information to the access tokens generated by the OAuth provider API (such as the logged in user in the application, device id....), and use those values as claims when generating the JWT (oauth.resource-owner, client-id of the consumer application sending the requests....)
I am using Wso2 Oauth2 password grant for authenticating the user in my application. I need to implement two factor authentication using sms and email in my existing workflow. I have gone through the Wso2 documentation found authenticator for Email and SMS.
https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator
https://docs.wso2.com/display/ISCONNECTORS/SMSOTP+Authenticator
But these documentation deals with SAML.
Is there any documentation for Oauth2 workflow or How it can be achieved ?
Need help on this
Thanks
I assume you have configured a service provider with OAuth/OpenID Connect Configuration type in WSO2 Identity Server. You need to do the Local & Outbound Authentication Configuration in this OAuth Service Provider. Hit edit for that SP and expand Local & Outbound Authentication Configuration. Click on Advanced Configuration and do necessary configuration there.
Refer https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator and follow the steps starting from Step 9 in Configuring the Service Provider section.
I would like to implement an architecture based on oAuth2 in which the token is generated by the WSO2 identity server (Auth Server) and the API manager is used as the Gateway (resource server).
I understood it's necessary to change the Identity_Server/repository/conf/carbon.xml and set the value false for the element <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> in order to enable the admin Service of token validation exposed by the Identity Server. Also I think it's necessary to configure the APIManager.xml to configure the API manager to check the token validation using a service exposed by the identity server.
But unfortunately the specific documentation is not available at https://docs.wso2.org/display/AM140/Configuring+api-manager.xm. Can someone help me understand how to achieve my goal ?
If it's correct to assume what you want is to, secure a exposed rest API with OAuth, using WSO2 IS, then the following link [1] will help you.
But since you are using WSO2 API manager, if there is no other restriction you can simply achieve this token generation functionality from API-manager itself. There is an OathTokenEndPoint exposed by API-M. You can call this endpoint with client-key and secret to get a token.[2]
[1] - http://movingaheadblog.blogspot.com/2014/02/securing-your-web-service-with-oauth2.html
[2] - https://docs.wso2.org/display/IS410/OAuth+2.0+Grant+Types+with+WSO2+API+Manager+Authorization+Code