0
votes

I have installed the WS02 API manager and secured my backend REST service with oauth2.

Here is my setup

IP1: WSO2 API manger using the default inbuild key manager. I have published my API here.

IP2: Resource server is running here.

I have simple client application which talks to the key manger to get the Access token and creates a successful call to published API in API manger. Here the API manger validates the token before sending the request to my resource server.

I am looking for the following configuration. Is this possible

  1. Application will talk to API manager only for generating the token
  2. Application will make a direct request to Resource server with the token
  3. Resource server needs to validate the token with Auth server.

I do see explanation in WSo2 Identify server where they suggested to use SOAP based mechanism to validate the token. However I am not able to get how we can achieve this.

Can someone please clarify, what changes needs to be done on Resource server and API manager to get the above flow. As I use API manger only for token generation going only to Identity server makes more sense?

1
In the resource server I should make a SOAP call to Authentication server? I tried like this below curl --user admin:admin --header "Content-Type: text/xml" --header "SOAPAction: validate" -k -d @soap.xml 10.37.XX.XX:8243/services/OAuth2TokenValidationService Response:ram
?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/… xmlns:axis2ns7="envelope/"><faultcode>axis2ns7:50978</…>ram

1 Answers

0
votes

Let me explain the use of API Manager first.

API Manager is used to providing a layer of additional functionality for your APIs such as authorization, throttling and other QoS stuff.

So the basic idea is that you publish you API in WSO2 API Manager and it takes care of the authorization part for your API. So when a client tries to access your API via API Manager, API Manager makes sure only authorized clients are allowed to access the API.

So from your requirements, it seems that you want to do the authorization at the resource server. In that case there is no point using API Manager only for the purpose of token generation.

Instead, you should use WSO2 Identity Server. Your API Client can call the token endpoint of Identity Server to generate the token and send it in the API request. You can find more details about OAuth2 with WSO2 Identity Server here.

Then at the resource you can validate the access token. With IS 5.3.0, there are two ways to validate a token. OAuth2 Introspection Endpoint and a SOAP service. You can find more details here.