Using a Third Party Key Management System with WSO2 API Manager

Last Updated: Jan. 2014

๏

๏

● WSO2 API Manager is a complete open-source solution for creating and publishing APIs and managing all aspects of their lifecycle.

● Using WSO2 APIM, you can -- Create and publish APIs -- Advertise APIs in the storefront -- Version APIs -- Manage the lifecycle -- Monitor and Analyze API Usage -- Implement governance and security -- Facilitate community engagement -- Provide extension points

https://docs.wso2.com/display/AM190/Introducing+the+API+Manager

●

●

●

●

●

●

●

●

●

Connect the web app to protected resource / API

Simple web app Protected resource / API.

End user

Web app

Initial request

authenticate / authorize

Redirect

Authorization code.

Token

Protected resource.

OAuth2 Authorization manager

12

3

4

56

7

Source :- http://wso2.com/library/blog-post/2014/10/blog-post-revamping-wso2-api-manager-key-management-architecture-around-open-standards/

●

●

●

●

● WSO2 identity server. https://wso2.com/products/identity-server/

● Open AM https://www.forgerock.com/products/access-management/

● mitreid-connect https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

● Surf oAuth https://github.com/OAuth-Apis/apis

OpenID Connect reference implementation in Java on the Spring platform.

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/

<APIKeyManager><KeyManagerClientImpl>org.wso2.carbon.mit.

OpenIDClientImpl</KeyManagerClientImpl> <Configuration>

…………………………………………………………..<ResourceRegistrationEndpoint>

http://localhost:8080/openid-connect-server-webapp/resource</ResourceRegistrationEndpoint><OIDCDcrEndpoint>

http://localhost:8080/openid-connect-server-webapp/register</OIDCDcrEndpoint>

…………………………………………………………….. </Configuration>

</APIKeyManager>

<APIKeyValidator> <!--

Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a custom KeyValidation Handler

--> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>

</APIKeyValidator>

● Implement KeyManager interface when you are writing your own implementation.<KeyManagerClientImpl>org.wso2.carbon.mit.OpenIDClientImpl</KeyManagerClientImpl>

-- createApplication() -Create a new OAuth application in the Authorization Server-- updateApplication()-Update an OAuth application-- retrieveApplication()- Retrieve an Oauth application-- getNewApplicationAccessToken()-Store calls this method to get a new Application Access Token.-- getTokenMetaData()-Get details about an access token-- getKeyManagerConfiguration()- Get Key manager implementation from a json file-- buildAccessTokenRequestFromJSON()-- mapOAuthApplication()-Use when to create a OAuth application in semi-manual mode-- buildAccessTokenRequestFromOAuthApp()

https://github.com/wso2/carbon-apimgt/blob/release-1.9.1/components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/KeyManager.java

-- loadConfiguration()

-- registerNewResource()-- getResourceByApiId()-- updateRegisteredResource()-- deleteRegisteredResourceByAPIId()-- deleteMappedApplication()-- getActiveTokensByConsumerKey()-- getAccessTokenByConsumerKey()

https://github.com/wso2/carbon-apimgt/blob/release-1.9.1/components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/KeyManager.java

● Implement KeyValidationHandler interface when you are writing your own implementation.<KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.

DefaultKeyValidationHandler</KeyValidationHandlerClassName>

-- validateToken()-- validateSubscription()-- validateScopes()-- generateConsumeToken()- JWT token this will use to default implementationhttps://github.com/wso2/carbon-apimgt/blob/release-1.9.1/components/apimgt/org.wso2.carbon.

apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/KeyValidationHandler.java

Create OAuth client at key manager

curl -k -X POST -b cookies https://localhost:9443/store/site/blocks/subscription/subscription-add/ajax/subscription-add.jag -d 'action=generateApplicationKey&application=NewApp1&keytype=PRODUCTION&authorizedDomains=ALL&callbackUrl=&validityTime=3600&tokenScope=&jsonParams={"paramname":"paramvalue"}'

Sample jsonParams for MITred-Connect implementation {"allowDomains":"ALL","callback_url":["dfsds"],"client_name":"jh_sandbox","contact":[],"

grant_types":[],"response_types":[],"scope":["phone","openid","offline_access","address","email","profile"],"token_endpoint_auth_method":null}

https://docs.wso2.com/display/AM190/Store+APIs

Update OAuth client

curl -k -X POST -b cookies https://localhost:9443/store/site/blocks/subscription/subscription-add/ajax/subscription-add.jag -d 'action=updateClientApplication&application=NewApp1&keytype=PRODUCTION&authorizedDomains=ALL&callbackUrl=&validityTime=3600&tokenScope=&jsonParams={"paramname":"paramvalue"}'

Sample jsonParams for MITred-Connect implementation {"allowDomains":"ALL","callback_url":["dfsds"],"client_name":"jh_sandbox","contact":[],"

grant_types":[],"response_types":[],"scope":["phone","openid","offline_access","address","email","profile"],"token_endpoint_auth_method":null}

Retrieve an OAuth application data

curl -b cookies 'http://localhost:9763/store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag?action=getAllSubscriptions&selectedApp=NewApp1'

Delete an oAuth application

curl -k -X POST -b cookies http://localhost:9763/store/site/blocks/subscription/subscription-add/ajax/subscription-add.jag -d 'action=deleteAuthApplication&consumerKey=4lHddsxCtpFa2zJE1EbBpJy_NIQa'