Create Access Token using SAML2 Bearer Grant Type and Invoke APIS in wso2 API Manager

First we need to create an API in wso2 API Manager and obtain the client id and secret. Then we can use travelocity sample application in wso2 Identity server to generate access token.


Configure travelocity Sample Application

In order to use travelocity sample application we need to change following configurations in travelocity.properties file which is located in  <Tomcat_Home>/webapps/travelocity.com/WEB-INF/classes

EnableSAML2Grant=true

OAuth2.TokenURL=https://localhost:8244/token (This is the token endpoint of APIM. The APIM is running with a port offset of 1)

OAuth2.ClientId=TTAoWMohG0lcO8UmN8CRskDT0uMa (Client Id and Client Secret of API)
OAuth2.ClientSecret=tFdgrDb8BNxPkqWoBmTL7rvGBLEa

Configure Identity Server to add travelocty application

 









The AudienceRestriction and the Recipient values we configure here should be equal and the same value shuld be configured as the alias.




Configure Identiy Provider in APIM

 


The public certificate of the primary keystore should be imported to the identity provider.

Then once we login to travelocity application and click on Request OAuth2 Access Token link it is able to obtain the access token to invoke the relevant API in the API Manager.


Comments

Post a Comment

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

When we are invoking an endpoint in oauth2 war from a javascript of a web app which is located in a different domain than identity server domain we are getting "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXXXXXX is therefore not allowed access." The issue is occurring as the script on your page is running from a specifc domain and would try to request the resource via an XmlHttpRequest or XDomainRequst from a different domain as this is a cross -origin request. In order to get rid of this we need to enable this by sending below header using a custom filter.  Access-Control-Allow-Origin: http: //example.com   (Here  http://example.com is the domain name of where page with that script is hosted) Invoking UserInfo endpoint of wso2 Identity Server from JavaScript We have two possible solutions to apply the CORS header.  1. Customizing OpenIDConnectUserEndpoint.java as below and replacing the oauth
Read more

Secure Wso2 ESB REST APIs using Kerberos

Image
When a consumer attempts to consume a REST API, if the API is secured using some authentication protocol (e.g Basic , Kerberos, NTLM) the consumer has to prove his authentication to the API by sending credentials or relevant token through authorization headers. By default ESB REST APIs does not include any security and from this blog post I will speak about how to make the APIs secured using kerberos. I have used main 3 components ;  Active Directory as the KDC , ESB server as the resource server and a C#.net client to invoke the rest APIs in ESB server. The design of the implementation is as below. The Design of the Kerberos Communication 1. Client tries to invoke the ESB proxy 2. The server responds with 401 unauthorized 3. Client requests a kerberos service ticket from active directory 4. If user is identified by the KDC (AD) it will send the SGT to the client 5. Client wraps the SPENEGO token in the request HTTP header and resend to ESB 6. ESB sees the HTTP header w
Read more

JWKS endpoint of wso2 IS

What is JWKS endpoint? The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification . Try JWKS endpoint with Identity Server The endpoint url for the super tenant: https://localhost:9443/oauth2/jwks The jwks for the super tenant will be as follows: { "keys" : [ { "alg" : "RS256" , "kty" : "RSA" , "use" : "sig" , "n" : " AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5 " , "e" : "AQAB" , "kid" : " d0ec514a32b6f88c0abd12a2840699bdd3deba9d "
Read more