Role based key generation in WSO2 API Manager

Once you on-board a customer and give him the subscriber role, he can login to developer portal and generate keys for production and sandbox environment. Generating keys in developer portal will create an OAuth application (consumer key / secret pair) in key manager and also generates an access token (mostly for testing purpose) using client_credentials grant type.

The requirement : role based key generation

There might be a requirement in your enterprise that you want to allow some of your customers (say certified customers) to generate keys for production environment and other customers to generate keys only for sandbox environment. If we take a concrete example, your enterprise has two roles prod-subscriber and sandbox-subscriber, any users with prod-subscriber role can generate production keys and invoke production APIs. Similarly, any users with sandbox-subscriber role can generate sandbox keys and invoke sandbox APIs. If you are happy with the customer in sandbox environment, you can assign prod-subscriber role to him to promote him to production environment.

The solution

WSO2 API Manager allows you to attach workflows to major actions performed in developer portal, such as registering applications, generating keys and subscribing to APIs, to have some control over who can do what in developer portal. For example, if you have a workflow attached to application registration, when a customer creates an application, the request goes into an intermediary state until it’s approved. Approval can be manual or automatic. Manual approval involves BPEL and Human Tasks. See https://docs.wso2.com/display/AM1100/Managing+Workflow+Extensions for information on this.

Automatic approval involves a Java task. Automatic approval is the best fit for our role based key generation usecase. Basically, we will write a simple Java program (we call it a workflow executor) that will get executed whenever customers generate keys in developer portal. This Java program is going to check customer’s roles and approve or reject the key generation request.

The implementation

Source code of this role based key generation work flow executor can be found in https://github.com/R-Rajkumar/wso2-bespokes/tree/master/workflows/role-based-app-registration-workflow-executor

Applies to WSO2 API Manager 1.10. However, the same concept and implementation (with updated dependencies) can be used in the latest releases as well.

The deployment

  • Get the source code from https://github.com/R-Rajkumar/wso2-bespokes/tree/master/workflows/role-based-app-registration-workflow-executor and build it using maven
  • Copy role-based-app-registration-workflow-executor/target/role-based-app-registration-workflow-executor-1.0.0.jar toAPIM_HOME/repository/components/dropins folder. This should be done in Store (developer portal) nodes.
  • Restart the server
  • Log in to APIM management console and select Browse under Resources
  • Go to /_system/governance/apimgt/applicationdata/workflow-extensions.xml resource, disable the Simple Workflow Executor and enable the custom Workflow Executor for ProductionApplicationRegistration workflow. Final configuration would look like below.
<WorkFlowExtensions>
.....
<!--ProductionApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
<ProductionApplicationRegistration executor="com.raj.gateway.bespokes.RoleBasedApplicationRegistrationWorkflowExecutor">
<Property name="allowedRoles">prod-subscriber</Property>
</ProductionApplicationRegistration>
.....
</WorkFlowExtensions>
  • That’s all. Only the users with prod-subscriber role will be able to generate production keys. If others try to generate, their request will be rejected automatically.
  • If you want to allow multiple roles to generate production keys, give a comma separated list of roles for allowedRoles property, as shown below.
<WorkFlowExtensions>
.....
<!--ProductionApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
<ProductionApplicationRegistration executor="com.raj.gateway.bespokes.RoleBasedApplicationRegistrationWorkflowExecutor">
<Property name="allowedRoles">admin,prod-subscriber</Property>
</ProductionApplicationRegistration>
.....
</WorkFlowExtensions>
  • If you want to allow all the roles to generate production keys, give * for allowedRoles property, as shown below.
<WorkFlowExtensions>
.....
<!--ProductionApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
<ProductionApplicationRegistration executor="com.raj.gateway.bespokes.RoleBasedApplicationRegistrationWorkflowExecutor">
<Property name="allowedRoles">*</Property>
</ProductionApplicationRegistration>
.....
</WorkFlowExtensions>
  • If you want to prevent all the roles to generate production keys, remove the allowedRoles property, as shown below.
<WorkFlowExtensions>
.....
<!--ProductionApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
<ProductionApplicationRegistration executor="com.raj.gateway.bespokes.RoleBasedApplicationRegistrationWorkflowExecutor">
</ProductionApplicationRegistration>
.....
</WorkFlowExtensions>

I’ve attached this Java executor to production key generation workflow only. So this won’t get executed for sandbox key generation workflow. It means any users with subscriber role will be able to generate sandbox keys. If you want, you can attach the same Java executor to sandbox key generation workflow too.

Note

This solution restricts a customer to create an OAuth application (generating keys in developer portal) in production environment in the first place. If you are looking for way where you want a customer to generate keys and tokens, but willing to prevent him from accessing production APIs, there is no way to do this in WSO2 API Manager as it shares the same publisher/store/key-manager instances for both production and sandbox environments (only the gateway environment is different). So the only way to prevent users, who don’t have prod-subscriber role, from accessing APIs on the production Gateway is to prevent those users from generating production keys from the API Store in the first place.

Refer https://docs.wso2.com/display/AM1100/Customizing+a+Workflow+Extension to learn how to write a Java workflow executor.

Like what you read? Give Rajkumar Rajaratnam a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.