How to pass CKAN API authorization token via the WSO2-API Manager

0
votes

I am using WSO2 API Manager (version 3.0.1) as front-end for accessing data via an API call to CKAN (version 2.8.2).

A private CKAN data set requires an authorization token as described here.

"When calling an API function that requires authorization, you must authenticate yourself by providing your API key with your HTTP request."

CKAN API authorization instructions

How is this accomplished in WSO2? Specifically, what configuration files/settings need to change to make this happen?

I see from this documentation that if configured in Eclipse using a tooling plug-in it can be accomplished with something like this (Step 23):

curl -k -H "Authorization: Bearer api-key-for-WSO2-goes-here" -H "Custom: Bearer api-key-for-CKAN-goes-here" https://my-wso2-host-goes-here:8243/test/1.0.0

WSO2 curl example

However, these instructions require using Eclipse. But how can this be accomplished without Eclipse? I.e. what configuration files/settings need to be modified on the server or in the WSO2 API Publisher and/or the WSO2 API Dev Portal to pass the authorization token for CKAN through WSO2 API-M?

2
wso2wso2-amckan

2 Answers

1
votes

You do not have to use Eclipse for this. In the tutorial Eclispse plugin is used as a tool to generate the sequence easily. In that tutorial we needed a sequence in the first place because the authorization header required by the backend is "Authorization". In WSO2 APIM this is a reserved header to pass the internally generated token. Therefore we first pass the backend token in a custom header with a different header name and then copy this value to Authorization header in the in-sequence. The sequence would look like below. 

<sequence xmlns="http://ws.apache.org/ns/synapse" name="authorization_header_exchange">
<property name="X-Authorization" expression="get-property('transport', 'X-Authorization')" scope="default" type="STRING"/>
<property name="Authorization" expression="get-property('X-Authorization')" scope="transport" type="STRING" description=""/>
<property name="X-Authorization" scope="transport" action="remove"/>

Refer [1] for more info.

However in your case you can send the api key in X-CKAN-API-Key along with the request itself without using a mediation sequence.

[1]. https://docs.wso2.com/display/APICloud/Sample+Mediation+Sequences#SampleMediationSequences-Passinganauthorizationheadertoyourbackend

0
votes

I'm answering my own question...

TLDR

The answer by @naoko above is correct: to pass CKAN authorization through WSO2 API-M include X-CKAN-API-Key as a header with a value set to your CKAN user's private CKAN API key.

Long Version

Pass the CKAN API key like this:

curl -k -H "Authorization: Bearer wso2-app-key-here" -H "X-CKAN-API-Key: ckan-authorization-key-here" https://myWso2DeveloperPortal.com:8243/daas/3.0.1/action/resource_show?id=resource-id-of-CKAN-dataset-here

(Use -k if the host has a self-signed https certificate)

Where...

  • wso2-app-key-here is the application key found in the WSO2 Developer Portal.
  • ckan-authorization-key-here is your user account's private key in CKAN. (It can be found on your user profile page in the CKAN UI.)
  • resource-id-of-CKAN-dataset-here is the resource id of the dataset you want to query.

The resource_show method in this example will return metadata for the given CKAN resource. Other CKAN methods are invoked in a similar manner.

This is all thanks to CKAN for having an alternative to passing the key in a header named Authorize. In the case of CKAN, the variable X-CKAN-API-Key can be used. And this can be easily passed as shown above.

Mea culpa for not catching that in the CKAN docs in the first place (It's right there in my very own screenshot above!)...had I read thoroughly it would have saved a SO post for better or worse;)

Had CKAN not provided the alternative with X-CKAN-API-Key then this can be accomplished in version 3.0.0 as described in these pages:

"Passing a Custom Authorization Token to the Backend"

https://apim.docs.wso2.com/en/latest/Learn/APIGateway/MessageMediation/passing-a-custom-authorization-token-to-the-backend/

FWIW, I actually tried that before trying the X-CKAN-API-Key solution and it didn't work. Maybe I was doing something wrong. But since the X-CKAN-API-Key solution works for me I'm calling it done.