Exposing APIs in WSO2 API Manager to Users in Key Cloak via Federation - 2
In this blog, I’m going to provide the remaining steps to make the OIDC flow with relevant claims mapping between API Manager and IS-KM.
Now, we will create users in KeyCloak. The steps to create user in Master realm are given below:
1. Login to KeyCloak Admin Console as Admin by browsing the following URL:
https://localhost:8443/auth/admin/master/console/
2. Select Manage -> Users under Master Realm and click Add User. Refer Fig. 1.
3. After saving the users, roles can be added to the user as shown in Fig. 2. In this example, I have assigned a role named as subscriber to the user in KeyCloak.
To do role mapping between the roles in KeyCloak and IS-KM, role claim should be included in the self contained accesstoken returned from KeyCloak endpoint. In order to add role claim to token, we need to create Mappers.
Click Configure -> Clients, select the client you created, navigate to Mappers tab and create new mapper. A sample configuration for the mapper is given in Fig. 3.
As mentioned in my previous blog, we have created service provider in IS-KM. In the service provider created in IS-KM, we need to add following claim configuration. Edit the service provider created in IS-KM, add claim mapping between preferred_username and http://wso2.org/claims/displayName as mandatory claim as shown in Fig. 4.
Role and claim mappings should be added in the Identity Provider created in IS-KM, to map the relevant roles. Edit the identity provider by selecting it and add claim mapping under Claim Configuration -> Basic Claim Configuration as shown in Fig. 5.
Here, we are mapping role claim from KeyCloak with http://wso2.org/claims/role in IS-KM. Next, we need to add role mapping in Identity Provider. Map the role coming from KeyCloak with a role existing in IS-KM. For instance, user should have Internal/Subscriber role to login to the Store. An example role mapping is shown in Fig. 6.
Now we are in the final step of configuration ^_^.
To configure OIDC in API Manager Store, add following configurations in <APIM_Home>/repository/deployment/server/jaggeryapps/store/site/conf/site.json:
“oidcConfiguration” : {
“enabled” : “true”,
“issuer” : <Name of the service provider created in WSO2 IS>,
“identityProviderURI” : <Token endpoint of WSO2 IS>,
“authorizationEndpointURI” : <Authorization endpoint of WSO2 IS>,
“tokenEndpointURI” : <Token endpoint of WSO2 IS>,
“userInfoURI” : <User info endpoint of WSO2 IS>,
“jwksURI” : <JWKS endpoint of WSO2 IS>,
“logoutEndpointURI” : <Logout endpoint of WSO2 IS>,
“authHttpMethod”: “POST”,
“clientConfiguration” : {
“clientId” : $client-id generated pf the application,
“clientSecret” : $client-secret generated pf the application,
“responseType” : “code”,
“authorizationType” : “authorization_code”,
“scope” : “phone email address openid profile”,
“redirectURI” : <API Manager Store redirect URL>,
“postLogoutRedirectURI” : “<API Manager Store URL>",
“clientAlgorithm” : “RS256”
}
}
A sample configuration is given below:
“oidcConfiguration” : {
“enabled” : “true”,
“issuer” : “StoreSP”,
“identityProviderURI” : “https://localhost:9444/oauth2/token",
“authorizationEndpointURI” : “https://localhost:9444/oauth2/authorize",
“tokenEndpointURI” : “https://localhost:9444/oauth2/token",
“userInfoURI” : “https://localhost:9444/oauth2/userinfo",
“jwksURI” : “https://localhost:9444/oauth2/jwks",
“logoutEndpointURI” : “https://localhost:9444/oidc/logout",
“authHttpMethod”: “POST”,
“clientConfiguration” : {
“clientId” : “viKMWqo2I2yIZRD1yR1oTbux6EEa”,
“clientSecret” : “CEU8XA8Xs4fLQZyKlaiBkRfpltAa”,
“responseType” : “code”,
“authorizationType” : “authorization_code”,
“scope” : “phone email address openid profile”,
“redirectURI” : “https://localhost:9443/store/jagg/jaggery_oidc_acs.jag",
“postLogoutRedirectURI” : “https://localhost:9443/store/",
“clientAlgorithm” : “RS256”
}
}
Ok. Now we have completed the configurations. Start your API Manager and browse to Store Portal in the URL:
https://localhost:9443/store
If you click on Login, it will be directed to KeyCloak login page. Since, we mapped Internal/Subscriber role with subscriber role in KeyCloak, user will be able to login to Store… Yeyy. ^_^
Resources: Exposing APIs in WSO2 API Manager to Users in Key Cloak via Federation - 1 can be found here.