Using external authentication server for WSO2 API Manager

2
votes

I'm confused about how end user authentication works with WSO2 AM.

It looks like by default, WSO2 AM acts as the user authentication server for OAuth flows and hence validates user credentials against those entered via the API Store and stored in the Key Manager. But those users are not end users of the destination APIs, but rather developers who've signed up to build apps to use the APIs. That doesn't make sense to me, so maybe I've misunderstood the documentation?

What I need and would think most other API publishers would need is the ability to authenticate end users against an API publisher's user authentication API, and so have WSO2 AM delegate user authentication to such an external authentication API via a redirect (in case of authorization grant or implicit grant flows) or server-server call (in case of resource owner credentials grant).

How would one go about configuring such a setup, and what's the interface between the WSO2 AM and the external authentication API, for both the redirect and server-server interactions? Can you point me to any documentation or samples of such a setup?

thx, Chris

3
wso2wso2-am

3 Answers

1
votes

My perspective on this is that end users consume apps directly, not APIs. App developers build apps that consume APIs. So this conforms to philosophy of WSO2 API Manager, where it is catering to the app developers.

An API publisher's user authentication API is just another API as far as the API Manager is concerned. You can expose this API through API Manager and have users(or apps in my opinion) invoke the API with specified parameters and get a response(In your case user credentials as parameters and a response based on the authentication of those credentials). What an underlying API does is of no concern to API Manager, it simply facilitates the management of the API invocation.

1
votes

Often apps make authenticated user-specific requests to APIs to service users using the apps. The OAuth2 resource owner password credentials grant is one of a few OAuth grant options used by apps to obtain user-specific OAuth tokens, and it requires authenticating the user's credentials against the API publisher's user authentication API. For reference, here's apigee's documentation on how to do it.

0
votes

wso2 APIM has four role models-> admin,creator,publisher and subscriber. so those who have creator and publisher role can create and publish an api in publisher app(they are developers). and those who have subscriber role can subscribe to api in store and generate the oath token(they are end users).So whenever a user singup from store will be assigned to subscriber role. so those who have only subscription role are endusers of that api.

so when an end user access the api using the token taken from store, he will be authenticated by APIM.

1.https://docs.wso2.com/display/AM160/User+Roles+in+the+API+Manager