Migrate/Import Existing Oauth2 Clients into WSO2 APIM while Preserving Client Credentials

Umendra Rajapakshe
4 min readDec 8, 2019

--

Source claritypartners.com

In this tutorial, I will guide you through how to migrate your existing Oauth2 clients into a new WSO2 APIM setup while preserving the existing credentials(Client ID & Client Secret) of that client. This is especially useful if you have Oauth2 Clients that have already published their credentials in production. In this case, you can save a lot of time and trouble if you were to use the same credentials you are currently using, in your new setup in APIM. Let's get started!

For this tutorial I will be using WSO2 IS to create the Oauth2 Client, but the approach discussed here is IdP independent. The following are the details of my existing client, created using WSO2 IS.

In WSO2 IS and APIM a “service provider” must be created to represent the external services that request authentication and/or authorization, Hence the Oauth2 configurations are done within the “service provider”. You can read more about the terminology and architecture from here.

Now the main objective here is to create a new Application within WSO2 APIM and export the credentials of the above Oauth2 Client into that application.

To do this you must first add the following configurations to <APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file,
"mapExistingAuthApps" : "true"

If you are using APIM 3.0.0 or above, Instead of doing the above configuration add the following configuration to <APIM_3.0.0_HOME>/repository/conf/deployment.toml file,
[apim.devportal]
enable_key_provisioning = true

Once this is done you can go ahead and start the APIM server. Then go to the carbon console and create a service provider. As mentioned before in APIM each Application created from the Store/Dev-portal has a “Service Provider” created for it underneath which holds some of the configurations for that particular application. But simply creating a new service provider would mean that you would have to create fresh credentials all over again. Rather than doing that, there is an option to create a service provider from a “file configuration”. This will allow you to create a client with pre-defined credentials.

But what does this file configuration look like? To get the entire configuration file, you can export the service provider configuration from the management console if you have created your Oauth client using WSO2 IS,

Make sure to Include the secrets when exporting,

Or else if your client is created in a different IdP you can still use the same configuration file as a template and replace the required details, Following is the configuration file you would get if you were to export the service provider from the IS carbon console.

You should change the configurations such as ApplicationName, Description and most importantly you should change the credentials within the <oAuthAPPD0> and Client ID within the <InboundAuthKey> tags with the correct credentials of your already existing Oauth2 Client.

Once that is done Create a service provider in the APIM by import the configuration file as mentioned previously. Now you would be able to see the imported Service provider under the list of service providers.

There can be instances where errors might occur when importing due to some grant types not being supported by APIM, in such cases you should remove those grant types from the configuration file under the <grantTypes> tag and then proceed to import.

Finally, sign in to the Dev-portal/Store of APIM and create an application, Now when creating an application you will have the option to “Provide Keys to the application”

Hit the “Provide Keys” button, add the Client credentials from the imported service provider and click the save button. This will link the Application with the imported service provider.

That's it! Now you have successfully created an Application in WSO2 APIM by importing the Client credentials from an existing Oauth 2 Client.

--

--