This page consists of the procedure to secure a RESTful service with 2-legged OAuth using WSO2 Identity Server and WSO2 ESB.
- Download WSO2 Identity Server and WSO2 ESB.
- Extract the WSO2 Identity Server and WSO2 ESB ZIP files into a directory in your file system. Call them IS_HOME and ESB_HOME respectively.
Start WSO2 Identity Server and WSO2 ESB by running wso2server.sh (in unix) or wso2server.bat (in windows) which can be found in
If both servers are running in localhost, change the default ports. For example, change the WSO2 ESB https port to 9445 and http port to 9765 (default 9443 and 9763 respectively) by configuring mgt-transport.xml which can be found in
- Go to WSO2 IS Management Console by pointing your browser to
- Register a user with WSO2 Identity Server by providing a username and password.
- Download sample OAuth client source code from following svn location:
- You can build the sample using maven (
mvn clean install) or add the Jars in the
IS_HOME/repository/components/pluginsdirectory to a sample project class path.
- Go to the ESB Management Console by entering the following your browser:
- Sign-in as an admin by providing a username and password.
Create a proxy service in WSO2 ESB by adding following configuration in to the service bus configuration which can be found under Manage > Service Bus > Source View. Alternatively, simply update the synapse configuration of ESB with the content in
Please note that remoteServiceUrl contains the host name and the port that WSO2 Identity Server is running.
- Run the sample client. Make sure to update variables: IDENTITY_SERVER, ESB_SERVER, USER_NAME and PASSWORD, according to your configurations.
The following steps iterate what is occurring during this process:
- The user is registered with WSO2 Identity Server.
- The consumer secret is registered with WSO2 Identity Server.
- Invoke the AuthenticationAdmin service and the user is authenticated with the WSO2 IS entity server
- Invoke the OAuthAdminService service and register the consumer secret.
- The consumer key is set as the username of the user.
- Generate OAuth Authorization header and sign it with the OAuth Consumer Secret.
- Invoke the proxy service which is deployed in ESB.
- OAuth mediator in ESB invokes the OAuthService in WSO2 Identity Server to verify that the consumer is valid.
- Verify consumer key (check if the user is a valid user) and verify the oauth_signature value using the consumer secret which has been registered by the user.
- If signature verification is done, the request is authenticated and sent to the RESTful service