4
votes

I have created and published API with WSO2 API Manager. API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. But now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.

Can anybody tell if it is possible and how it can be implemented???

Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM.

2

2 Answers

0
votes

now I need to implement authorization by means of authorization code grant. I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user.

If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service

Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated

(I still have an urge to downvote the question for not searching the documentation)

If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer)

0
votes

You have 2 options here without any customizations.

1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. Then you can use any user in that userstore for authentication.

See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores

2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS.

See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation