Oauth resource owner password credentials grant type with WSO2 API manager when sso is setup with identity server

0
votes

I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.

I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.

Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.

Appreciate any help here.

1
oauth-2.0wso2wso2iswso2-am
One other route is to get a SAML token and exchange it for an OAuth token. Since the API Manager and Identity server are pointing to the same user store, i am assuming the generating an OAuth token directly by the API manager should also be possible.user1865512

1 Answers

0
votes

I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.

But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details

Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)