Currently we have enabled ws-security in wso2 esb using policy file and role based authorization using Active Directory.
We would like to transition some of these services to wso2 api manager and implement the same security model.
How do we secure these APIs (that are facing web service client and not the backend web service) using ws-security on api manager?
To secure the APIs on API manager you can follow this guide. It provides various methods that can secure the APIs. Further if you need to implement role based authorization to the APIs in API manager you can refer to this tutorial.
Hope this helps.
Related
I am using wso2 apimanager 3.2.0 and I am going to design some rest service that use my backend service. this backend service has basic authentication, so how to invoke and handle it in apim?
You can define endpoint security when you are developing the API the Endpoints section of the API in the Publisher portal.
For more information, see documentation.
I'm having separate Dotnet Web Service API to authenticate users. How can I configure it with WSO2 API Manager?
I have already configured WSO2 API Manager with external IDP (Keycloak). Is this is what im looking orcan be achieved in different way.
If you are looking for a way to replace your user store(LDAP/AD/JDBC), with your Dotnet service, you might want to write a new custom user store manager extending the CarbonRemoteUserStoreManger class. There, you should invoke your custom APIs to authenticate, retrieve users. Then you can add a secondary/primary user store with your custom user store manager implementation.
If you want to configure your Dotnet service as a Federated IdP in the API Manager server, you might have to write a Custom Federated Authenticator to communicate with your Dotnet service to authenticate the users. There you should be overriding the initiateAuthenticationRequest and processAuthenticationResponse.
Editing the answer with the new context on issue
In order to generate or validate tokens with an external party(Dotnet service), WSO2 needs to know the service contract of that service beforehand. How you fetch that information to the WSO2 APIM server is by writing an extension to the Key Manger service of the WSO2 APIM server.
By default WSO2 APIM has the implementation to talk to its own Key Manager component and the WSO2 Identity Server. But you need to write the logic (request/response templates) to validate tokens with your dotnet service. This is the official documentation for this. These two Medium posts as well are written on that topic.
Blog 1
Blog 2
Basically, you need to write a simple java extension project to the mentioned interface, so that WSO2 knows how to talk to your service. A sample such implementation written for Okta as a Key Manager is pointed here.
Regarding your concern on validating both the token types;
Yes, it's possible using a custom key manager interface as described above. Once you receive the token at the API Manager side, if you can distinguish if the token was issued by your Dotnet service or by WSO2 itself from your Java logic (May be the token length), then your logic should divert the validation request respectively to WSO2 default Key Validation service (Call super()) or to your Dotnet service call. If you can't distinguish between the two tokens just by looking at them, then you can try both the servers to check if either can validate it. (There's a security vulnerability in that.)
Hope this helps.
We are using WSO2 Identity Server SCIM APIs for user management(i.e creating,listing,updating and authenticating users) in our application.We are also using WSO2 API Manager token API for fetching access token.Our application supports internationalization and we have to display error messages recieved as response from the above mentioned APIs in the localized language.
Does WSO2 support localization for these APIs? If so, is there any reference link to help with the implementation.
Currently WSO2 IS/APIM does not support API level localization. Only UI level localization[1] is supported.
[1] https://docs.wso2.com/display/AM210/Adding+Internationalization+and+Localization
How can I pass the access token created on an OpenIdConnect Federated IDP to the developer application?
Currently, the federated access token doesn't get passed through the API Manager and the API Manager generates a new access token for the application.
You won't be able to plug in an external IDP and generate access tokens using an out-of-the-box API Manager. But you can implement a custom keymanager implementation and plug external third party keymanager to API manager and then use that tokens. See Configuring a Third-Party Key Manager in the product documentation regarding this. It has a sample where "Surf OAuth Authorization Server" is use as the key manager. You will be able to implement similar thing for your scenario.
following are some good posts related to this feature.
https://amilasnotes.wordpress.com/2015/06/20/customizing-key-validation-flow/
https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview/
https://amilasnotes.wordpress.com/2015/06/07/provisioning-oauth-clients-created-out-of-band/
I've found this tutorial about installing Alfresco on WSO2 Appserver.
http://sanjeewamalalgoda.blogspot.com/2011/09/how-to-install-alfresco-on-wso2.html
Does this mean I can delegate authentication to the wso2 security configuration also? I wouldn't want to have to manage security in both places separately.
If I were to deploy Alfresco in wso2 I would want to use the wso2 Identity Server for authentication. I was thinking about Alfresco running in wso2 Appserver using identity server for authentication and ESB for the Alfresco services. Is this approach suitable for other apps as well?
Is that possible?
WSO2 Identity Server has an LDAP interface. So we can get third party software to use that interface and authenticate.
Moreover, if you host Alfresco within WSO2 Application Server, then the application is using the security framework exposed by WSO2 Cabon platform, thus the security integration becomes seamless.
Not only that you will be able to leverage the security model of the WSO2 platform, but you will also be able to leverage monitoring, logging, and also the cloud capabilities such as multi-tenancy, billing, metering, when you host your applications using WSO2 Application Server. So you will be better off focusing on the business logic and the solution aspects, while the WSO2 platform can off-load you from the cross-cutting QoS concenrns.