Using WSO2 API Manager store with third party Key Manager

Hi everyone, WSO2 API Manager is a great product to publish and manage your apis. One major service it provides is securing your apis, which brings OAuth into action. For a long time WSO2 API Manager used in-built oauth components or gave the flexibility to use WSO2 Identity Server as its key manager so IS will work as the OAuth server. Check https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.1.0+as+a+Key+Manager+with+API+Manager+1.10.0 for more information.

From WSO2 APIM version 1.9.0 and up, it gives the capability to configure a third party key manager which means you can generate all your keys and Oauth access tokens out side WSO2 servers.

In this post, I’m going to show how I configured Surf OAuth as the key manager for WSO2 APIM 1.10.0 and how it works with default APIM store.

Get Surf up and running

Note that everything explained under this heading is a brief from the content of Starting the authorization server in this document.

1. Get surf-oauth.war from here and deploy it in tomcat.

Run following commands to move the Web application to the ROOT context It will make sure that the Surf Oauth Web applications works on Tomcat.

rm -rf <path_to_tomcat>/webapps/ROOT
mv <path_to_tomcat>/webapps/surf-oauth <path_to_tomcat>/webapps/ROOT

After starting tomcat, http://127.0.0.1:8080 should bring you following page. Click Login.

2. Click on Resource Servers from left menu and add a new resource server as shown. Give two scopes, Contact name and email.

For the configurations in WSO2 APIM side, you need few things from here.

3. After saving the resource server, you can see the key and secret values for that resource.

4. Click Access Tokens. You should see at least one token. A token is generated each time you login to surf-Oauth. You need one valid access token for WSO2 APIM.

5. We need client registration endpoint to call when creating Oauth clients from WSO2 side. Surf OAuth doesn’t support a spec-compliant client registration yet. But we can use the same endpoint used by Surf OAuth to create clients. In order to get the endpoint URL, I used developer tools in Google Chrome.

After navigating to Network tab in developer tools, Click on Client Applicaitons. You will see a call to “client” endpoint (check the image). The URL of that will be needed in WSO2 APIM configurations.

Configuring API Manager

Now.. The API Manager should be informed about Surf OAuth, so that it will pass the key management functionality to Surf.

For API Manager to use Surf as its key manager, a custom key manager implementation (extending AbstractKeyManager class) is needed. This custom class will handle/build requests/responses in “Surf OAuth’s way”.

https://github.com/jaadds/surf-oauth-demo contains a custom Key Manager implementation which supports Surf-OAuth. I have done some changes on this library in the fork https://github.com/nuwandiw/surf-oauth-demo/tree/v2.0.0with_store1 to make it support API Manager Store, which gives you an UI to create keys and tokens. In this post, we are going to use that library and create tokens with API Manager store.

Let’s get started.

<APIM_HOME> is the API Manager distribution folder.

1. Download gateway.client-1.0.0.jar from here. Alternatively you can build the project from https://github.com/nuwandiw/surf-oauth-demo/tree/v2.0.0with_store1/nl.surfnet.demo.client and get the jar.
2. Copy gateway.client-1.0.0.jar in to <APIM_HOME>/repository/components/lib folder
3. Open api-manager.xml located in <APIM_HOME>/repository/conf folder, uncomment <APIKeyManager> element and configure it as explained below.

Replace following values with your specific ones

RegistrationEndpoint : Client registration endpoint discussed in step 5
AccessToken : A valid access token from Surf OAuth (check step 4 in above section)
ConsumerKey : Resource server key from Surf OAuth (check step 3 in above section)
ConsumerSecret : Resource server secret from Surf OAuth (check step 3 in above section)

Generating keys with APIM Store

All the configurations are done and you are good to go.

1. Start API Manager.
2. Go to API Manager store and login with admin:admin credentials. By default you can access Store with the URL http://localhost:9763/store
3. Click on My Applications from the top menu and add new application. (providing only application name is enough)
4. Click on My Subscriptions and pick the newly created application in previous step, from Applications With Subscriptions drop down.
5. Then click Generate Keys in production environment. It will create Consumer Key and Consumer secret values as shown

Access Surf OAuth from your browser and you will notice a newly created client application. Its name is generated according to your application name. My application was named SurfOauthApp so in Surf OAuth, a client application is created with the name SurfOauthApp_PRODUCTION

6. Go to the edit view of the client application in Surf OAuth (Just click on the application name) and make sure the client_credentials grant type is enabled, and a token expiration time is specified.

7. Then go back to API Manager Store and click the Re-Generate button in production environment. That will create an access token for that application.

If you have subscribed to any apis with this application, you can use this access token to call them.

That’s it :)

References

Configuring a Third-Party Key Manager

Using Surf OAuth with WSO2 API Manager