OAuth2 is the modern standard of providing security for REST and SOAP APIs. However, a lot of enterprises have existing SAML Identity Providers (IdP) and that they use as their internal authentication standard. They would like their web and mobile applications to have end-users authenticate with these existing providers and then translate that to OAuth, enforce access and policies, and pass the calls to the backend.
Today we will talk about how this works in case of WSO2 API Cloud:
- Configure the cloud to trust the IdP.
- In the Developer Portal (API Store), create your application and get its OAuth consumer secret and consumer key.
Now, let’s look at the way the actual authentication and API usage happens in the diagram above:
- Your web or mobile app asks the end-user to log in as it normally would.
- Your corporate Identity Provider (IdP) checks credentials and issues the SAML2 token.
- Now the application needs to generate the personalized OAuth2 token for that end-user and that app. For that, it invokes the API gateway’s Token API and passes consumer secret, consumer key, and the SAML2 token.
- API gateway validates the SAML assertions with the IdP. If particular API Scopes are requested, the gateway also checks to see if the roles with which the scopes are associated match the roles in the SAML assertions.
- If validation is successful, API gateway returns the OAuth token and refresh token. The refresh token can be used to renew the OAuth token when it expires.
- Now the application has the OAuth token it needs and can use it to invoke the actual APIs.
- API gateway uses the OAuth token to identify the end-user, apply security and throttling policies, collect analytics data, and pass the calls to the backend. When the backend is invoked, end-user and application information is passed as JWT token.
That is it. See our documentation page for the specific configuration steps and token API calls, and use API Cloud’s Support menu if you need any help.
November 6-8 in London we will be holding our biggest European event of the year – WSO2Con Europe 2017. I will personally be there as well as our other key leaders, architects, and engineers, and many of our customers.
My personal request to all our cloud customers is to go ahead and submit a session proposal!
Conference talks are a great way to increase your own visibility and boost your career. And you also get perks including free airfare, hotel, and conference pass! There is a deadline of July 28 – so please try to meet it. If you cannot – please let me know so I can apply some lobbying for you. 🙂
If submitting your talks is not your thing (yet) go ahead and buy your conference pass today while the early bird discount is still in place.
Plus, the website also has lots of great recordings from earlier conferences.
I hope to see you in London in November!
After 4 months of beta and continuous improvements based on customer feedback, we have made WSO2 Device Cloud commercially available.
Pricing starts at just $2/device/month and goes down with volume.
Device Cloud is a SaaS solution for mobile device management. Administrators can add their corporate or employee-based smartphones and tablets, apply various policies, push applications, locate the devices, check for compliance and perform other management tasks.
This is a cost-effective solution that is:
- Easy to use – the administration and management are entirely web-based and maintained by WSO2,
- Secure – maintains corporate security standards,
- Makes employees more productive – by pushing the applications and policies they need,
- Saves money – by preventing device lost and empowering administrators and employees.
In the future, we will extend the scope of WSO2 Device Cloud even more by both adding more advanced enterprise mobility management (EMM) / mobile device management (MDM) features, and extending the scope to custom devices and internet of things (IoT) scenarios.
There is a free 2-week trial and ability to start small and grow as you need.
Give WSO2 Device Cloud a try and let us know what you think.
WSO2 Identity Cloud is out of beta and fully available.
- Pricing starts at $2/user/month and goes down with volume to as little as 20 cents.
- You only pay for the users actually using the system. Your idle accounts don’t cost you anything.
- There is a fully functional 2-week trial.
- Identity Cloud includes single sign-on (SSO) for:
- SaaS applications over standards-based federation (SAML 2.0, WS-Federation, OpenID Connect),
- Homegrown apps over JWT,
- Popular applications such as Salesforce.com, Zuora, NetSuite, GoToMeeting, Concur, AWS.
- Your end-users also get a brandable user portal with application catalog for easy application discovery.
Huge thanks to everyone who tried the beta and provided feedback. Thanks to that we significantly improved the service making the LDAP agent firewall-friendly and implementing custom URL functionality and theming for the user portal.
Try WSO2 Identity Cloud today and let us know what you think!
WSO2 API Cloud allows publishers to set API visibility to specific roles and also to use roles for OAuth scopes. With today’s update, we have made both of these easier because now there is a new user interface for custom role creation.
To add a new custom role to your organization in WSO2 Cloud:
1. Click Roles in the 9-dot menu at the top right:
2. In the Roles dialog box, click the Add Role button at the top left:
3. Give it a name and permissions (for API Cloud scenarios, they would likely at the very least need to have the subscriber permission), then click the Create Role button:
That’s it! Your role is now ready: you can add members to it, and use it for API visibility and OAuth scopes.
We have made it easier to pay for WSO2 Cloud services (API, Integration, Device, and Identity). When we launched initially, monthly credit card payments were the only option we provided. Now we changed two things:
1. You can pay for a year ahead and save 10% of your subscription price:
2. And, if credit card is not something that your purchasing department likes, you can get a regular invoice and pay via a wire transfer instead:
Whatever is the WSO2 Cloud service of your choice, we would like you to be able to pay for it conveniently (and save money on the way!)
On the 3rd step of editing APIs in WSO2 API Cloud, you can set required authentication type for each resource:
We have already covered None as the option to allow invoking APIs without any authentication whatsoever. Today we will discuss the other options.
Application type means that the API will require OAuth tokens generated with client grant type. That grant type produces tokens specific to the subscription but not the end-users.
So if there is a web- or mobile application that subscribed to this API and it has multiple end-users, they will all be sharing the same token and the API backend will not “know” which end-user is invoking the API:
Application User type means that the API accepts OAuth tokens generated with password grant type. These tokens are specific to the end-user – they require not just the application key but also end-user’s username and password.
In this case, each end-user gets their own OAuth tokens even though they are using the same API subscription. API Gateway then generates a JWT token and uses it to pass application and user information to the API backend:
Application and Application User type means that both kinds of tokens are acceptable by the API.
OAuth scopes are a great way to segregate access to APIs and data. Combined with roles they can also be a powerful way to limit who gets access to what.
Let’s have a look at how you can implement scopes in WSO2 API Cloud.
Let’s start with a sample WorldBank API that has two resources: /countries and /indicators – both taking a code parameter:
We have it published in Developer Portal and can invoke either of them with no problem (as long as we are subscribed to the API):
Now let’s add two different scopes: one that would only give access to /countries and the other one that only gives access to /indicators.
To do this:
- Open the API for editing,
- Go to the third step (Manage),
- Scroll down and click the Add Scopes button:
- In the Define Scope dialog box, add the wb_geo scope for geographic data:
- Repeat the process to add wb_eco scope to the API.
- Now you can see both scopes available for the API. Click the + Scope button next to the /countries resource to assign its scope:
- Pick Geographic data for /countries and Economic data for /indicators:
- That’s it: we defined two new scopes and applied them to two different REST resources. Now click Save and Publish to update the API:
Generate scope-limited OAuth token
Now if you open the API in Developer Portal’s API Console, you will see two things: resources have notes about the scopes they need and attempts to invoke them with a regular OAuth key fail:
To generate an OAuth token with the OAuth scope included:
- In Developer Portal (a.k.a. API Store), click Applications,
- In the application list, click the application which you used to subscribe to the API (for example, DefaultApplication),
- Click the Production Keys tab,
- Scroll down to the Scopes section, select the scopes you want (for example, Geographic data), and click the Re-generate button (I picked “-1” as the validity period to have a non-expiring token):
- Now if you go back to the API, you can use the new token and successfully invoke the API:
If you want to limit scope access to particular groups of users, you follow the same procedure but this time also list the roles when adding your scopes. For example, in the screenshot below, I am limiting the wb_geo scope access to users in the researches role:
It has just become a lot easier to connect your corporate directory to web applications. WSO2 Identity Cloud’s agent now itself initiates its connection to the cloud and thus does not conflict with firewalls or require a DMZ placement.
WSO2 Identity Cloud is a simple way to enable single sign-on (SSO) from your LDAP to your and 3rd-party web applications, and also to give end-users a nice application catalog portal to locate and access their apps. When we originally launched the offering, the cloud service was initiating all connections to the LDAP agent, and thus you had to get the agent installed on a server visible on the internet. With today’s update, you no longer have to do that.
Now, you can install the agent on any server that can get to the internet itself. You can even take your own laptop with OpenLDAP running on it, and use that to evaluate our service.
All you have to do is:
- Go to WSO2 Identity Cloud,
- Sign in,
- Click the Connect your user store button,
- Click Connect my LDAP to Cloud to download the agent:
5. Follow the instructions on the agent download page to download the agent and configure it to connect to your LDAP and your cloud account:
6. Once the cloud starts seeing the agent, your users can start using their LDAP credentials to access the applications you hooked up to the cloud:
See detailed documentation here: Configuring an On-premise User Store
Dynamic Endpoint functionality of API Cloud allows you to dynamically pick the backend to which each call is routed based on the call’s properties.
For example, suppose you have an API that has two resources /countries and /regions:
And suppose the actual implementation of the functionality is at two different backends. /countries is implemented by first.backend.url and /regions by something.different.url.
Fear not, this is fairly easy to implement with API Cloud. You simply need to select Dynamic Endpoint as the Endpoint Type and upload the In Flow sequence that defines the rules to route the traffic:
In our sample scenario, the In Flow sequence might look similar to this:
<sequence name=”dynamic_ep” trace=”disable” xmlns=”http://ws.apache.org/ns/synapse“>
<property name=”service_ep” value=”https//first.backend.url“/>
<property name=”service_ep” value=”https://something.different.url“/>
<!– add endpoints as needed –>
<property name=”service_ep” value=”http://some.default.url”/>
<!–default endpoint if required. However there should be a matching resource–>
<header name=”To” expression=”get-property(‘service_ep’)”></header>
<property expression=”get-property(‘service_ep’)” name=”ENDPOINT_ADDRESS”></property>
<!–Please note that “ENDPOINT_ADDRESS” (additional) property is defined here in order to populate
destination address for statistics (API Usage by Destination). –>
You can obviously define more complex rules if needed.
Do you have multiple backend services that need to become a single API? Dynamic Endpoints can get you going!