Identity Server 4 as a Third Party Key Manager for WSO2 API Manager

Identity Server 4 (IS4) is a framework for OAuth2 and OpenID Connect for ASP.NET. It is commonly used by .NET based Software Development companies for managing their users and enable Access Controlling for their resources.

When they decide to use API Management on their platform, a common problem they would face is how to reuse existing users and the existing IS4 based authorization platform with it. WSO2 API Manager provides a pretty good set of extension points to make it a reality.

In this story, we work through the steps of configuring IS4 with WSO2 API Manager 2.5 as a 3rd party Key Manager.

Setting Up

Configurations in Identity Server 4

Step 1: Create an application in Identity Server 4.0. This will be used by the API Manager to access the Admin APIs.

Adding a client to access Admin APIs

Step 2: Make sure to provide a secret as well.

Providing secret to Admin client

Step 3: In Advanced -> Claims add a claim role with value AdminUI Administrator.

Configurations in WSO2 API Manager

We need to write an extension to WSO2 API Manager to delegate the OAuth2 token and client management to IS4. In order to do that, we need to write a few extensions as below.

Step 1: Add dependency jars with the extensions to API Manager.

• https://github.com/malinthaprasan/apim-is4askm has the full source code of the implementations of the extensions. Clone and build the project using maven
• Extractimpl/target/org.wso2.apimgt.keymgt.is4-1.0.0.jarand copy that into repository/components/dropins folder of API Manager
• Add following additional jars to repository/components/lib folder.

1. gson-fire-1.8.0.jar
2. logging-interceptor-2.7.5.jar
3. okhttp-2.7.5.jar
4. okio-1.6.0.jar
5. threetenbp-1.3.5.jar

Note:

They can be found in .m2 in locations below after building the project

${m2-repo-home}/io/gsonfire/gson-fire/1.8.0/gson-fire-1.8.0.jar
${m2-repo-home}/com/squareup/okhttp/logging-interceptor/2.7.5/logging-interceptor-2.7.5.jar
${m2-repo-home}/com/squareup/okhttp/okhttp/2.7.5/okhttp-2.7.5.jar
${m2-repo-home}/com/squareup/okio/okio/1.6.0/okio-1.6.0.jar
${m2-repo-home}/org/threeten/threetenbp/1.3.5/threetenbp-1.3.5.jar

Step 2: DefineKeyManagerClientImpl class defined in api-manager.xml

KeyManagerClientImpl is the class used by API Manager to all means of communications with its Key Manager. By extending it, we can couple it with almost any kind of a third party Identity Server as a key manager.

In api-manager.xml, configure the key manager class name with details of IS4. You need to specify the clientId and secret which was used when creating the application in the IS4.

<APIKeyManager>
        <KeyManagerClientImpl>org.wso2.apimgt.keymgt.is4.IdentityServer4AsKMImpl</KeyManagerClientImpl>
        <Configuration>
            <TokenAPI>http://ids:5003/connect/token</TokenAPI>
            <AdminAPI>http://localhost:5001</AdminAPI>
            <IntrospectionAPI>http://ids:5003/connect/introspect</IntrospectionAPI>
            <ClientId>admin_ui_sample</ClientId>
            <ClientSecret>admin_ui_sample</ClientSecret>
        </Configuration>
    </APIKeyManager>

Step 3: Define KeyValidationHandlerClassName

KeyValidationHandlerClassName is used by the Gateway to validate the access tokens that come along with API calls.

<KeyValidationHandlerClassName>org.wso2.apimgt.keymgt.is4.token.IS4KeyValidationHandler</KeyValidationHandlerClassName>

Step 4: Define the application attributes configuration in the api-manager.xml

<ApplicationConfiguration>
    <ApplicationAttributes>
        <Attribute required="false">
            <Name>Production Consumer Secret</Name>
            <Description>Sample description of the attribute</Description>
        </Attribute>
        <Attribute required="false">
            <Name>Production Access Token</Name>
            <Description>Sample description of the attribute</Description>
         </Attribute>
         <Attribute required="false">
            <Name>Sandbox Consumer Secret</Name>
            <Description>Sample description of the attribute</Description>
        </Attribute>
        <Attribute required="false">
            <Name>Sandbox Access Token</Name>
            <Description>Sample description of the attribute</Description>
        </Attribute>
    </ApplicationAttributes>
</ApplicationConfiguration>

Step 5: Add the following handler at the beginning of the synapse handlers of the API in velocity.xml

velocity.xml is located in <AM_HOME>/repository/resources/api_templates/velocity_template.xml).

Following content needs to be added after <handlers xmlns="http://ws.apache.org/ns/synapse"> and before #foreach($handler in $handlers).

<handler class="org.wso2.apimgt.keymgt.is4.handler.InjectIS4ResourceHandler"/>

After it is added:

...
<handlers xmlns="http://ws.apache.org/ns/synapse">
      <handler class="org.wso2.apimgt.keymgt.is4.handler.InjectIS4ResourceHandler"/> <!-- <=== --> 
#foreach($handler in $handlers)
<handler xmlns="http://ws.apache.org/ns/synapse" class="$handler.className">
    #if($handler.hasProperties())
    #set ($map = $handler.getProperties() )
...

Step 6: Configure the workflow extensions in workflow-extensions.xml from API Manager carbon console.

API Manager carbon console is accessible at https://localhost:9443/carbon

Configuring workflow extensions

Add below configurations:

<WorkFlowExtensions>
...
    <!--ProductionApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
    <ProductionApplicationRegistration executor="org.wso2.apimgt.keymgt.is4.workflow.IS4ApplicationRegistrationWorkflow"/>
    
    <!--SandboxApplicationRegistration executor="org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor"/-->
    <SandboxApplicationRegistration executor="org.wso2.apimgt.keymgt.is4.workflow.IS4ApplicationRegistrationWorkflow"/>
    
    <!--SubscriptionCreation executor="org.wso2.carbon.apimgt.impl.workflow.SubscriptionCreationSimpleWorkflowExecutor"/-->
    <SubscriptionCreation executor="org.wso2.apimgt.keymgt.is4.workflow.IS4SubscriptionCreationWorkflow"/>
    
    <!--SubscriptionDeletion executor="org.wso2.carbon.apimgt.impl.workflow.SubscriptionDeletionSimpleWorkflowExecutor"/-->
    <SubscriptionDeletion executor="org.wso2.apimgt.keymgt.is4.workflow.IS4SubscriptionDeletionWorkflow"/>
...
</WorkFlowExtensions>

The workflow extensions are required to properly sync the resources (APIs, Subscriptions, and Applications) created in API Manager to Identity Server 4.

That’s it!

Now, if you perform functionalities such as creating clients from API Store, generating access tokens, all those will be reflected in IS4.

When you do an API call, the gateway will communicate with the IS4 instance to validate the tokens instead of using the inbuilt Key Manager.

See you with another post. :)