Try WSO2 Cloud for Free
Sign in

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

APIs published on the WSO2 API Cloud are secured using OAuth2.0 by default. Any client application invoking a secure published API needs to have a valid subscription to the particular API and present a valid OAuth2.0 Access Token to the API Gateway.

The HTTP Authorization header is the most common method of providing authentication information for REST APIs and it is used in API Cloud as well. The application needs to have the access token in the authorization header to authenticate the API that is being accessed. But, there can be reasons such as organizational policies, legacy backends expecting to use the authorization header for other purposes and legacy client applications which will force you to use some other header to pass the bearer token to the API gateway.

WSO2 API Cloud now allows you to define your own header to carry the bearer token. This can be configured for the entire organization (all your APIs) or for certain APIs only.

Table of Contents

Configure the authorization header per API

...

  1. Go to the “Manage” tab in the UI.

  2. Provide the name of the header which you wish to use as the authorization header, as shown below. In this example, it is defined as "Token".

  3. Save and publish the API.
  4. When you go to the developer portal(API Store), you will be able to see the portal is ready to send the new header to the gateway. Insttead of the usual "Authorization" header, you can see the "Token" header which was defined in the previous steps in the below screenshot.
  5. If you want to invoke the API with curl, following is the command.

    Code Block
    curl -k -X GET "<Your API URL>" -H "Accept: Application/json" -H "Token: Bearer <Your Token>"

Configuring the authorization header for the entire organization

  1. Go to the management console of API Cloud. You will be logged in automatically.

  2. Click Main, then click Browse under Resources.

  3. Enter /_system/config/apimgt/applicationdata/tenant-conf.json as the location. Click Go to access the tenant-conf.json file in the WSO2 Registry.
  4. Click Edit as text to edit the JSON file.
  5. Add the following configuration with the customized authorization header to the JSON file and save the file.

    Localtab Group
    Localtab
    activetrue
    titleFormat
    Code Block
    "AuthorizationHeader" : "<tenant-authorization-header>"
    Localtab
    titleExample
    Code Block
    "AuthorizationHeader" : "TENANT_AUTH"
    Localtab
    titleSample JSON
    Code Block
    { 
       "EnableMonetization":false,
       "IsUnlimitedTierPaid":false,
       "ExtensionHandlerPosition":"bottom",
       "RESTAPIScopes":{ 
          "Scope":[ 
             { 
                "Name":"apim:api_publish",
                "Roles":"admin,Internal/publisher"
             },
             { 
                "Name":"apim:api_create",
                "Roles":"admin,Internal/creator"
             },
             { 
                "Name":"apim:api_view",
                "Roles":"admin,Internal/publisher,Internal/creator"
             },
             { 
                "Name":"apim:subscribe",
                "Roles":"admin,Internal/subscriber"
             },
             { 
                "Name":"apim:tier_view",
                "Roles":"admin,Internal/publisher,Internal/creator"
             },
             { 
                "Name":"apim:tier_manage",
                "Roles":"admin"
             },
             { 
                "Name":"apim:bl_view",
                "Roles":"admin"
             },
             { 
                "Name":"apim:bl_manage",
                "Roles":"admin"
             },
             { 
                "Name":"apim:subscription_view",
                "Roles":"admin,Internal/creator"
             },
             { 
                "Name":"apim:subscription_block",
                "Roles":"admin,Internal/creator"
             },
             { 
                "Name":"apim:mediation_policy_view",
                "Roles":"admin"
             },
             { 
                "Name":"apim:mediation_policy_create",
                "Roles":"admin"
             },
             { 
                "Name":"apim:api_workflow",
                "Roles":"admin"
             }
          ]
       },
       "NotificationsEnabled":"false",
       "Notifications":[ 
          { 
             "Type":"new_api_version",
             "Notifiers":[ 
                { 
                   "Class":"org.wso2.carbon.apimgt.impl.notification.NewAPIVersionEmailNotifier",
                   "ClaimsRetrieverImplClass":"org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever",
                   "Title":"Version $2 of $1 Released",
                   "Template":" <html> <body> <h3 style=\"color:Black;\">We’re happy to announce the arrival of the next major version $2 of $1 API which is now available in Our API Store.</h3><a href=\"https://localhost:9443/store\">Click here to Visit WSO2 API Store</a></body></html>"
                }
             ]
          }
       ],
       "DefaultRoles":{ 
          "PublisherRole":{ 
             "CreateOnTenantLoad":true,
             "RoleName":"Internal/publisher"
          },
          "CreatorRole":{ 
             "CreateOnTenantLoad":true,
             "RoleName":"Internal/creator"
          },
          "SubscriberRole":{ 
             "CreateOnTenantLoad":true
          }
       },
       "AuthorizationHeader":"TENANT_AUTH"
    }
  6. If you have APIs that were published already, go to the API publisher and re-publish those the APIs for the changes to take effect. The new APIs will automatically have this behaviour behavior when they are created.

Note

If you have configured this at both API level and organization level, then the API level configuration will get the precedence.


With this new feature is available in WSO2 API Cloud, you will be able to connect your legacy backends and legacy clients to the API gateway without worrying about the authorization header.