WSO2 API Manager get Subscription Tier without API Key / Token

1
votes

Currently working with WSO2 API Manager version 2.2.0. It is very good with implementation of OAuth 2.0.

When we define a new Application through WSO2 API Store, we are able to generate Consumer Key and Secret and select Grant Type to generate Access Token. After that we should subscribe to APIs with some Subscription Tier.

Access Token (also called API Key) is then authorized during API call. The Access Token is linked to attributes which are then put into AuthenticationContext, like the following extract from the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.java:

APIKeyValidationInfoDTO info;
info = keyValidator.getKeyValidationInfo(apiContext, apiKey, apiVersion, authenticationScheme, clientDomain,
                    matchingResource, httpMethod, defaultVersionInvoked);
if (info.isAuthorized()) {
            AuthenticationContext authContext = new AuthenticationContext();
            authContext.setAuthenticated(true);
            authContext.setTier(info.getTier());
            authContext.setApiKey(apiKey);
            authContext.setKeyType(info.getType());
            authContext.setUsername(info.getEndUserName());
            authContext.setCallerToken(info.getEndUserToken());
            authContext.setApplicationId(info.getApplicationId());
            authContext.setApplicationName(info.getApplicationName());
            authContext.setApplicationTier(info.getApplicationTier());
            authContext.setSubscriber(info.getSubscriber());
            authContext.setConsumerKey(info.getConsumerKey());
            APISecurityUtils.setAuthenticationContext(synCtx, authContext, securityContextHeader);

This is working perfectly, but now, I would like to have my own custom authentication handler, which is not based on Access Token, but rather X.509 certificates where CN would be my identification of enitity (Writing Custom Handlers).

And also, I would like to have the benefit of Application settings and Subscription Tiers in order to manage such attributes for different entities calling the APIs using X.509 certificate. Using the above mentioned call it is not working because I do not have any apiKey.

I'm trying to find a way how to get Application API data with identification from X.509 certificate instead of Access Token to set the Subscription Tier and other AuthenticationContext attributes.

Any suggestions it can be done?

2
authenticationwso2access-tokenwso2-amx509

2 Answers

0
votes

There is no way you can find subscription or application details without a token unless you're sending that information with the request itself. Without a token, you can only know what the API is, but you don't know what the app is.

0
votes

These attributes are required, because they are used for application and subscription level throttling in throttle handler. What you can do is set some attribute like commonNameAtribute(CN) in the certificate as the application name , client ip(get from messageContext) as the the application ID. So the application level throttling will work, without having to create an application in store. Set Application tier as any one of the avialble available application tiers in the store. Set consumer key as null, set subscriber also as commonNameAtribute. And you can override the DefaultKeyValidationHandler in order to skip the subscription validation. This class can be configured in api-manager.xml