Once Web applications are published and accessed through WSO2 App Manager gateway, user is authenticated using the SAML SSO. However, there can be Web applications which internally call OAuth-secured APIs. In this feature, you can use the same SAML token generated by WSO2 App Manager gateway, and get an OAuth2 access token by calling the token endpoints used by these APIs. The below diagram depicts this scenario.
Publishing the Web application for obtaining an OAuth2 access token
If a particular Web application needs to access OAuth-secured APIs internally, it needs to provide the following OAuth parameters of the APIs in the Step 4 - Advanced Configuration of creating the Web application.
- API Token Endpoint - URL of token endpoint used by the APIs.
- API Consumer Key - the consumer keys of the OAuth APIs.
- API Consumer Secret - the consumer secret keys of the OAuth APIs.
- API Name - alias name for the APIs.
Once the Web application is created on App Manager, it will wrap these details and generate a new consumer/secret key pair for the Web application [WCk1, WCSk1]. Actual Web application can use this consumer/secret key pair generated by the App Publisher, when it needs to get an access token to call the registered APIs.
Follow the steps below to view the consumer/secret key pair generated by WSO2 App Manager,
- Log in to the App Publisher of WSO2 App Manager using the following URL with admin/admin credentials: http://<IP_ADDRESS>:9763/publisher
- Click on the Pizza Shack application in the Web applications list.
- In the the Overview section of the Web application, click OAUTH Parameters tab.
You can see the consumer/secret keys generated for it in WSO2 App Manager as follows.
Invoking WSO2 AppM token API from the Web app
WSo2 App Manager itself provides a token API. Web applications need to call this token API with the consumer/secret key pair [WCk1, WCSk1] provided by the App Manager, when they need to get an access token for a particular API.
This token API is deployed in the
<PRODUCT_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file. If App Manager is running with a port offset, then the port defined inside the
_TokenAPI_.xml file needs to be changed accordingly.
Use the following parameters and values to invoke the App Manager Token API from the Web application, to obtain an access token.
apiAlias- the alias name given when registering the API details in the App Manager publisher.
applicationToken- the base64 encoded value of consumer/secret key pair provided by the App Manager.
payload- the payload needs to send the grant type and the scope value. Grant type need to be set as SAML2. Scope should contain the value of
apiAliasas comma -separated strings.
httpClient.doPost- the token API provided by the App Manager. Change it with the define port offset accordingly.
For more information on obtaining an OAuth2 token by providing a SAML token, see the Pizza Shack sample.