Securing WSO2 Enterprise Integrator Proxy Services using OAuth2.0
WSO2 Enterprise Integrator
WSO2 Enterprise Integrator is a comprehensive integration solution which enables communication between various disparate applications. Instead of having your applications communicate with each other in all their different formats, they simply have to communicate with WSO2 EI.
Proxy Service
A proxy service is a virtual service that receives messages and optionally processes them before forwarding them to a service at a given endpoint. The proxy service allows you to perform necessary transformations and introduce additional functionality without changing your actual service.
WSO2 Enterprise Integrator supports creating proxy services. By default, it provides basic authentication for proxy services.
But today we are looking into authenticating these proxy services from Oauth2.0.
In this article, I am using Okta Identity Provider as the Oauth2.0 authentication provider.
Use case
Generate token using Okta IDP
To develop the above use case the first thing we need to do is generating Okta token. To do that you must have a valid okta account. If u dont have, create a developer trial account.
- Create an OAuth application in Okta. I have created this application to implement code-based authentication. If you are using other methods the following steps will be changed. But generating tokens for all those methods are mentioned in Okta documentation.
- Generate authorization code.
- Generate access token.
Okta token verification
Okta has Okta token verification libraries to help us to do the token verification process. Since I am going to code in Java, I am using Java token verification library.
Now I have to import these verification libraries to my verification mediator Java class and implement the verification process as instructed in Okta documentation.
Writing a custom mediator to verify the token
In order to write a custom java class mediator in WSO2 Enterprise integrator, we have to write a class extending AbstractMediator class. So that you can write your token verification logic inside the mediate method.
First, create a maven project add above class to that project src folder. To extend AbstractMediator you need to add the following dependency along with the repository to the pom.xml.
In addition, we have to add okta token verification libraries to the pom.xml
Now let's look at how to implement the token verification logic inside the mediator method.
The first thing we need to do is to extract the OAuth2.0 Jwt token from the message context. To do that we have to convert the Message context to Axis2 Message context. Using the Axis2 message context we can parse request headers. So we can perform some string parse operations to retrieve an access token. Below getAccessTokenString and other methods have the implementation of retrieving the access token from the message context.
Now we have to verify to the retrieved access token with Okta IDP.
Finally, Build this maven project and copy the generated jar file to the <EI_HOME>/lib folder. Add all third party libraries we used to the <EI_HOME>/extensions folder
After adding these folders you need to start integrator profile to make these changes effective.
Associating custom mediator in ESB Proxy flow
WSO2 Integration Studio: An eclipse based drag and drop IDE designed for WSO2 Enterprise Integrator to develop ESB mediation flows, do transformations, debug, etc.
Open WSO2 Integration studio and create an ESB project. Then create a SOAP proxy service in it.
In the input sequence in the proxy flow, drag and drop a class mediator to execute token verification class. Click on the class mediator and edit properties to associate the custom class. Here when you are giving the class name to have to give the full class name along with the package structure.
After the class mediator drag and drop a call mediator and then add an endpoint you want to call.
You need to deploy this application as a car file to the server.
Run it !!!
To run this example, I am using soap UI. First, create a soap project in soap UI. If you have a WSDL you can add it to soap UI, when creating the soap project.
Add a request payload with input values and give the OAuth token as a header.
The header name is authorization. And value should be Bearer <oauth_token>
Now execute the flow. You will be able to view message flow by analyzing console logs.
Conclusion
In this example, we looked at how to add OAuth2.0 authentication to Enterprise Integrator proxy when we are using Okta as IDP (Identity Provider). But we can add Oauth2.0 authentication to EI proxy, regardless of whatever the IDP is used. Only the mediation logic in the Custom mediator class needs to be changed.
For example, if you want to verify the token with the WSO2 Identity Server, you have to replace your mediation logic with the following code.
In addition, If you want to protect a data service using OAuth2.0 authentication, you can simply call your DSS API, from ESB flow.
Please feel free to look into the following code, if you need any further clarification.
[1] Authentication verify custom class maven project https://andradikla@bitbucket.org/andradikla/oauthverifyclassmediator.git
[2] ESB Proxy Project https://andradikla@bitbucket.org/andradikla/proxyservicetest.git
