Open in app

Sign in

Write

Sign in

Exposing APIs in WSO2 API Manager to Users in Key Cloak via Federation - 2

Vithursa Mahendrarajah
API Integration Essentials
Published in
4 min readFeb 14, 2020

In this blog, I’m going to provide the remaining steps to make the OIDC flow with relevant claims mapping between API Manager and IS-KM.

Now, we will create users in KeyCloak. The steps to create user in Master realm are given below:

1. Login to KeyCloak Admin Console as Admin by browsing the following URL:

https://localhost:8443/auth/admin/master/console/

2. Select Manage -> Users under Master Realm and click Add User. Refer Fig. 1.

Figure. 1 Add User in KeyCloak

3. After saving the users, roles can be added to the user as shown in Fig. 2. In this example, I have assigned a role named as subscriber to the user in KeyCloak.

Figure. 2 Role Mappings of User in KeyCloak

To do role mapping between the roles in KeyCloak and IS-KM, role claim should be included in the self contained accesstoken returned from KeyCloak endpoint. In order to add role claim to token, we need to create Mappers.

Click Configure -> Clients, select the client you created, navigate to Mappers tab and create new mapper. A sample configuration for the mapper is given in Fig. 3.

Figure. 3 Creating Role Mapper

As mentioned in my previous blog, we have created service provider in IS-KM. In the service provider created in IS-KM, we need to add following claim configuration. Edit the service provider created in IS-KM, add claim mapping between preferred_username and http://wso2.org/claims/displayName as mandatory claim as shown in Fig. 4.

Figure. 4: Claim configuration of Service Provider

Role and claim mappings should be added in the Identity Provider created in IS-KM, to map the relevant roles. Edit the identity provider by selecting it and add claim mapping under Claim Configuration -> Basic Claim Configuration as shown in Fig. 5.

Figure. 5 Claim Mapping in Identity Provider

Here, we are mapping role claim from KeyCloak with http://wso2.org/claims/role in IS-KM. Next, we need to add role mapping in Identity Provider. Map the role coming from KeyCloak with a role existing in IS-KM. For instance, user should have Internal/Subscriber role to login to the Store. An example role mapping is shown in Fig. 6.

Figure.6 Role Mapping in Identity Provider

Now we are in the final step of configuration ^_^.

To configure OIDC in API Manager Store, add following configurations in <APIM_Home>/repository/deployment/server/jaggeryapps/store/site/conf/site.json:

“oidcConfiguration” : {
    “enabled” : “true”,
    “issuer” : <Name of the service provider created in WSO2 IS>,
    “identityProviderURI” : <Token endpoint of WSO2 IS>,
    “authorizationEndpointURI” : <Authorization endpoint of WSO2 IS>,
    “tokenEndpointURI” : <Token endpoint of WSO2 IS>,
    “userInfoURI” : <User info endpoint of WSO2 IS>,
    “jwksURI” : <JWKS endpoint of WSO2 IS>,
    “logoutEndpointURI” : <Logout endpoint of WSO2 IS>,
    “authHttpMethod”: “POST”,
    “clientConfiguration” : {
       “clientId” : $client-id generated pf the application,
       “clientSecret” : $client-secret generated pf the application,
       “responseType” : “code”,
       “authorizationType” : “authorization_code”,
       “scope” : “phone email address openid profile”,
       “redirectURI” : <API Manager Store redirect URL>,
       “postLogoutRedirectURI” : “<API Manager Store URL>",
       “clientAlgorithm” : “RS256”
    }
 }

A sample configuration is given below:

“oidcConfiguration” : {
    “enabled” : “true”,
    “issuer” : “StoreSP”,
    “identityProviderURI” : “https://localhost:9444/oauth2/token",
    “authorizationEndpointURI” :   “https://localhost:9444/oauth2/authorize",
    “tokenEndpointURI” : “https://localhost:9444/oauth2/token",
    “userInfoURI” : “https://localhost:9444/oauth2/userinfo",
    “jwksURI” : “https://localhost:9444/oauth2/jwks",
    “logoutEndpointURI” : “https://localhost:9444/oidc/logout",
    “authHttpMethod”: “POST”,
    “clientConfiguration” : {
       “clientId” : “viKMWqo2I2yIZRD1yR1oTbux6EEa”,
       “clientSecret” : “CEU8XA8Xs4fLQZyKlaiBkRfpltAa”,
       “responseType” : “code”,
       “authorizationType” : “authorization_code”,
       “scope” : “phone email address openid profile”,
       “redirectURI” : “https://localhost:9443/store/jagg/jaggery_oidc_acs.jag",
       “postLogoutRedirectURI” : “https://localhost:9443/store/",
       “clientAlgorithm” : “RS256”
    }
 }

Ok. Now we have completed the configurations. Start your API Manager and browse to Store Portal in the URL:

https://localhost:9443/store

If you click on Login, it will be directed to KeyCloak login page. Since, we mapped Internal/Subscriber role with subscriber role in KeyCloak, user will be able to login to Store… Yeyy. ^_^

Resources: Exposing APIs in WSO2 API Manager to Users in Key Cloak via Federation - 1 can be found here.

Api Management
Keycloak
Wso2
Wso2 Api Manager
Apim

--

--

Vithursa Mahendrarajah
API Integration Essentials

Written by Vithursa Mahendrarajah

25 Followers
Writer for

Software Engineer at WSO2, Electronic &Telecommunication Engineering Graduate, University of Moratuwa. Also like to be a content crafter ^_^

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams