Exposing APIs in WSO2 API Manager to Users in Key Cloak via Federation - 1

I am going to guide through the steps to expose APIs in WSO2 API Manager to federated users in Key Cloak. We can deploy this integration by configuring WSO2 Identity Server between API Manager and Key Cloak. It does not require any custom extensions.

We can configure Identity Server as key manager to API Manager and then configure Key Cloak as federated identity provider in IS. I am going to guide through the steps with API Manager version 2.6.0, Identity Server version 5.7.0 and Key Cloak version 6.0.0.

As first step, we are going to configure Identity Server as key manager for API Manager. In order to reduce the manual effort, we have prepackaged product IS as KM which does not requires features to be installed manually. The compatible IS as KM version for API Manager 2.6.0 is 5.7.0.

• Download and unzip IS as KM - 5.7.0 and API Manager 2.6.0. Configure port offset as 1 in <IS-KM-Home>/repository/conf/carbon.xml in IS as KM.

<Offset>1</Offset>

• We need to install and configure RDBMS. Here, I am guiding to configure MySQL server. Download MySQL JDBC connector and copy it into <Server-Home>/repository/components/lib directory of both API Manager and IS as KM. MySQL JDBC connector can be downloaded from [1].
• Create databases for User DB, Registry DB and AM_DB. Scripts for these databases can be found in following paths:

1. User DB - <Server-Home>/dbscripts/mysql5.7.sql
2. Registry DB - <Server-Home>/dbscripts/mysql5.7.sql
3. AM_DB - <Server-Home>/dbscripts/apimgt/mysql5.7.sql

• Configure data sources in master-datasources.xml which can be found in <Server-Home>/repository/conf/datasources directory. Following is the sample configuration that needs to be added in master-datasources.xml

<datasource>
    <name>WSO2_AM_DB</name>
    <description>Datasource used for API Manager DB</description>
    <jndiConfig>
          <name>jdbc/WSO2AM_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
    <configuration>
         <url>
             jdbc:mysql://<ip-address>:<port>/<db-name>?useSSL=false
         </url>
         <username>$username</username>
         <password>$password</password>
         <driverClassName>com.mysql.jdbc.Driver</driverClassName>
         <maxActive>50</maxActive>
         <maxWait>60000</maxWait>
         <testOnBorrow>true</testOnBorrow>
         <validationQuery>SELECT 1</validationQuery>
         <validationInterval>30000</validationInterval>
      </configuration>
      </definition>
</datasource>

The default data source configurations are added to AM_DB pointing H2 database. We need to replace it with the new configuration as similar to above for AM_DB, REG_DB and UM_DB.

• Add following configuration in <IS-KM-Home>/repository/conf/user-mgt.xml

<configuration>
    <Property name="dataSource">jdbc/WSO2UM_DB</Property>
</configuration>

Please note that, here the property value should be the jndiConfig name given for user DB.

• Configure User store manager to JDBC user store. Comment out the default ReadWriteLDAPUserStoreManager and uncomment JDBCUserStoreManager in <IS-KM-Home>/repository/conf/user-mgt.xml
• Add Registry database configuration in registry.xml which resides in <IS-KM-Home>/repository/conf directory to enable the key manager access to registry database

<dbConfig name="govregistry">
    <dataSource>jdbc/WSO2REG_DB</dataSource>
</dbConfig>
<remoteInstance url="https://<ip>:<port>/registry">
     <id>gov</id>
     <cacheId>user@jdbc:mysql://<ip>:<port>/<$db-name></cacheId>
     <dbConfig>govregistry</dbConfig>
     <readOnly>false</readOnly>
     <enableCache>true</enableCache>
     <registryRoot>/</registryRoot>
</remoteInstance>
<mount path="/_system/governance" overwrite="true">
     <instanceId>gov</instanceId>
     <targetPath>/_system/governance</targetPath>
</mount>
<mount path="/_system/config" overwrite="true">
     <instanceId>gov</instanceId>
     <targetPath>/_system/config</targetPath>
</mount>

Please note that, datasource name in above configuration should be the jndiConfig given for registry DB.

• Configure API Manager server URL in,<ServerURL>https://${gateway-server-host}:{port}/services/</ServerURL under <APIGateway> in <IS-KM-Home>/repository/conf/api-manager.xml
• Configure API Manager server URL in, <RevokeAPIURL>https://${gateway-worker-server-host}:8244/revoke</RevokeAPIURL>under <OauthConfiguations> in <IS-KM-Home>/repository/conf/api-manager.xml.
• Configure the data source name of JDBCPersistenceManager, to the jndiConfig name defined for AM_DB in master-datasource.xml
• Change following configurations to point IS-KM server in api-manager.xml which resides in <APIM-Home>/repository/conf directory

<APIManager> 
  <AuthManager>
        <!-- Server URL of the Authentication service -->
        <ServerURL>https://${IS-server}:9444/services/</ServerURL>
  </AuthManager>
  <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <ServerURL>https://${IS-server}:9444/services/</ServerURL>
  </APIKeyValidator>
</APIManager>

• Enable WS Client for the communication between gateway and key manager in api-manager.xml:

<APIKeyValidator>
    <KeyValidatorClientType>WSClient</KeyValidatorClientType>
    <EnableThriftServer>false</EnableThriftServer>
</APIKeyValidator>

Now, we have configured, Identity Server as key manager (IS) for API Manager ^_^. Next, we are going to do the configurations in Key Cloak which is the federated Identity Provider.

Download and unzip KeyCloak pack. Start KeyCloak server with following command:

sh standalone.sh

Browse Administration Console in https://localhost:8443/auth/ and create admin user by providing username and password. Login to Admin Console of KeyCloak as Admin by browsing the URL given below (using the previously given credentials):

https://localhost:8443/auth/admin/master/console/

We need to create a Client in KeyCloak for which “Root URL” should be given as https://localhost:9443/commonauth, is common-auth endpoint of IS. Refer the image (Fig. 1) given below to create Client in KeyCloak:

Figure 1: Client listing page in KeyCloak

Figure 2: Add Client page in KeyCloak

Next, we will add an Identity Provider for KeyCloak in IS. Start Identity Server and go to management control by browsing following URL:

https://<IP-address>:9444/carbon

Register an Identity Provider by selecting “Add” field under Main -> Identity -> Identity Providers to with the configurations of KeyCloak OIDC endpoints.

Figure 3: Add IdP in Identity Server

Add OIDC configuration of KeyCloak in respective fields. Refer the image (Fig. 4)given below for sample configurations:

Figure 4: IdP configuration in Identity Server

Authorization endpoint of KeyCloak: https://localhost:8443/auth/realms/master/protocol/openid-connect/auth
Token endpoint of KeyCloak: https://localhost:8443/auth/realms/master/protocol/openid-connect/token

Enable Just-In-Time (JIT) provisioning as shown in Fig. 5:

Figure 5: Enable JIT provisioning in auth code flow

User should have required internal roles in order to login to Store portal. It is facilitated with JIT provisioning, as we can provision users with internal roles via the role mapping and claim mapping feature.

As next step, create a Service Provider in Identity Server by selecting “Add” field under Main -> Identity -> Service Providers in Management Console.

Configure Oauth/OpenID Connect Configuration under Inbound Authentication Configuration as shown in Fig. 6.

Figure 6: Inbound Authentication Configuration

Add https://localhost:9443/store/jagg/jaggery_oidc_acs.jag as callback URL in the OIDC configuration and save. After adding this configuration, you will see the generated client-id and client-secret under Oauth/OpenID Connect Configuration tab as shown in Fig. 7.

Figure 7: Oauth/OpenID Connect Configuration

Select Federated Authentication as Authentication Type under Local & Outbound Authentication Configuration as shown in Fig. 8.

Figure 8: Outbound Authentication Configuration

Certificates of KeyCloak needs to be inserted into the TrustStore of Identity Server to make the SSL handshake with KeyCloak successful.

We can use self-signed certificates for local testing. This should be properly replaced with CA signed certificates in production environment. Default keystore of KeyCloak is named as application.keystore which is located in <KeyCloak_Home>/standalone/configuration directory. We can replace it with own self-signed certificate.

Create self-signed certificates using following keytool command:

keytool -genkey -alias keyCloak -keyalg RSA -keysize 2048 -validity 3600 -keystore application.keystore -dname "CN=localhost,OU=WSO2,O=IT,L=MV,S=Western,C=US" -storepass password -keypass password

We can export the public key of the generated self-signed certificate using following keytool command:

keytool -export -keystore application.keystore -alias keyCloak -file publicCert.crt -storepass password

Certificate file will be generated in <KeyCloak_Home>/standalone/ configuration directory. Using following command, we can import the public certificate of keystore into the truststore of IS which can be found in <IS_Home>/repository/resources/security directory:

keytool -import -alias keyCloak -file publicCert.crt-keystore client-truststore.jks -trustcacerts -storepass wso2carbon

We have added the relevant configurations for federated authentication using OpenID Connect between KeyCloak and Identity Server. We need to add respective role and claim mapping for the provisioned user to get relevant permissions to login to API Store.

I will meet with the remaining steps in my next blog ^_^.

[1] https://dev.mysql.com/downloads/connector/j/