Configure WSO2 Identity Server for Self Service Authorization using Admin REST APIs
In this article we are going to take a look at how we can use the Admin REST APIs for Self-service authorization.
Before you begin
Please read the following articles
- How-To: Access Requests & Approvals in WSO2 Identity Server.
- Self-service Authorization for Admin Rest APIs in WSO2 Identity Server.
The Problem
The aim is to allow the users to send access requests and let the authorized person perform the approval process.
Based on the above readings you may find out that it is possible to extend the WSO2 Identity Server to cater to the Access-Request and the Access Approval as not an available alternative.
The Solution
The user journey will be as follows:
Steps to configure the Identity Server
- Build the project
- Clone the repository [1]
- Run
mvn clean install
in the cloned directory to build the project.
2. Configure Identity Server
- Copy the
org.wso2.carbon.identity.extension.authz.rest.selfservice.valve.SelfServiceAuthzValve-1.0.jar
to the/repository/components/dropins/
directory. - Add the valve configuration to the
catalina-server.xml.j2
file which is in the/repository/resources/conf/templates/repository/conf/tomcat/
directory as shown below.
<Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/>
<Valve className="org.wso2.carbon.identity.extension.authz.rest.selfservice.valve.SelfServiceAuthzValve"/>
3. Start the WSO2 Identity Server.
4. Create the roles with the prefix as APP_.
5. Create the XACML policy to restrict access to specific user roles.
6. Add workflows
- Add the Workflow Definitions to allows the approver to perform approvals.
- Add the Workflow Engagements this will trigger the event to send the requests.
- With these configurations, the Identity Server will intercept the request and perform the Access-Request and Approvals.
Test your application
Now the Admin REST APIs are available for the request and approval process. You can invoke the selected APIs without having admin privileges.
The below code snippet is based on jQuery for testing.
Note: Make sure that you have enabled the necessary CORS policies to access the API endpoints.
References
[1] https://github.com/johannnallathamby/wso2-is-authz-rest-selfservice