This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Configure the API Store. For more detailed information, see Adding and Configuring a Service Provider in the WSO2 Identity Server 5.7.0 documentation.
    1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file.
    2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.

      Localtab Group
      Localtab
      activetrue
      idstoreformatoidc
      titleFormat
      Code Block
      "oidcConfiguration" : {
          "enabled" : "true",
          "issuer" : "API_STORE",
          "identityProviderURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/token",
          "authorizationEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/authorize",
          "tokenEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/token",
          "userInfoURI" : "https://<IS-hostname>:<IdP-port>/oauth2/userinfo",
          "jwksURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/jwks",
          "logoutEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oidc/logout",
          "authHttpMethod": "POST",
          "clientConfiguration" : {
            "clientId" : "<client-id>",
            "clientSecret" : "<client-secret>",
            "responseType" : "code",
            "authorizationType" : "authorization_code",
            "scope" : "phone email address openid profile",
            "redirectURI" : "https://<APIM-hostname>:<APIM-port>/store/jagg/jaggery_oidc_acs.jag",
            "postLogoutRedirectURI" : "https://<APIM-hostname>:<APIM-port>/store/",
            "clientAlgorithm" : "RS256"
          }
        },

      Make sure to replace the following placeholders with actual values.

      • <client-id> and the <client-secret> - Replace these with the credentials that you got when creating the API_STORE service provider.

      • <IdP-hostname> - Replace this with the hostname of the IdP.

      • <IdP-port> - Replace this with the IdP port

      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.

      • <APIM-port> - Replace this with the WSO2 APIM port

      Localtab
      idegstoreformatoidc
      titleExample

      In this example WSO2 IS is port offset by 1.

      Code Block
      "oidcConfiguration" : {
          "enabled" : "true",
          "issuer" : "API_STORE",
          "identityProviderURI" : "https://localhost:9444/oauth2/token",
          "authorizationEndpointURI" : "https://localhost:9444/oauth2/authorize",
          "tokenEndpointURI" : "https://localhost:9444/oauth2/token",
          "userInfoURI" : "https://localhost:9444/oauth2/userinfo",
          "jwksURI" : "https://localhost:9444/oauth2/jwks",
          "logoutEndpointURI" : "https://localhost:9444/oidc/logout",
          "authHttpMethod": "POST",
          "clientConfiguration" : {
            "clientId" : "AA5qAA8mr54JJJJI5T56uF9Gvfka",
            "clientSecret" : "itGy_Y_vVaaarDP_9sKKchJgKlwca",
            "responseType" : "code",
            "authorizationType" : "authorization_code",
            "scope" : "phone email address openid profile",
            "redirectURI" : "https://wso2.am:9443/store/jagg/jaggery_oidc_acs.jag",
            "postLogoutRedirectURI" : "https://wso2.am:9443/store/",
            "clientAlgorithm" : "RS256"
          }
        },

      Make sure to replace the following placeholders with actual values.

      •  <client-id> and the <client-secret>  - Replace these with the credentials that you got when creating the API_STORE service provider.

      • <IdP-hostname> - Replace this with the hostname of the WSO2 Identity Server.

      • < IdP -port> - Replace this with the WSO2 IS port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
      • <APIM-port> - Replace this with the WSO2 APIM port
  2. Configure the API Publisher.
    1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file.
    2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.

      Localtab Group
      Localtab
      activetrue
      idformatpublisheroidc
      titleFormat
      Code Block
      "oidcConfiguration" : {
            "enabled" : "true",
            "issuer" : "API_PUBLISHER",
            "identityProviderURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/token",
            "authorizationEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/authorize",
            "tokenEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/token",
            "userInfoURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/userinfo",
            "jwksURI" : "https://<IdP-hostname>:<IdP-port>/oauth2/jwks",
            "logoutEndpointURI" : "https://<IdP-hostname>:<IdP-port>/oidc/logout",
            "authHttpMethod": "POST",
            "clientConfiguration" : {
              "clientId" : "<client-id>",
              "clientSecret" : "<client-secret>",
              "responseType" : "code",
              "authorizationType" : "authorization_code",
              "scope" : "phone email address openid profile",
              "redirectURI" : "https://<APIM-hostname>:<APIM-port>/publisher/jagg/jaggery_oidc_acs.jag",
              "postLogoutRedirectURI" : "https://<APIM-hostname>:<APIM-port>/publisher/"
            }
          },

      Make sure to replace the following placeholders with actual values.

      • <client-id> and the <client-secret>  - Replace these with the credentials that you got when creating the API_PUBLISHER service provider.

      • <IdP-hostname> - Replace this with the hostname of the IdP.

      • <IdP -port> - Replace this with the IdP port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
      • <APIM-port> - Replace this with the WSO2 APIM port
      Localtab
      idexamplepublisheroidc
      titleExample

      In this example WSO2 IS is port offset by 1.

      Code Block
      "oidcConfiguration" : {
            "enabled" : "true",
            "issuer" : "API_PUBLISHER",
            "identityProviderURI" : "https://localhost:9444/oauth2/token",
            "authorizationEndpointURI" : "https://localhost:9444/oauth2/authorize",
            "tokenEndpointURI" : "https://localhost:9444/oauth2/token",
            "userInfoURI" : "https://localhost:9444/oauth2/userinfo",
            "jwksURI" : "https://localhost:9444/oauth2/jwks",
            "logoutEndpointURI" : "https://localhost:9444/oidc/logout",
            "authHttpMethod": "POST",
            "clientConfiguration" : {
              "clientId" : "BB5qBB8mr54JJJJI5T56uH8Gvfkk",
              "clientSecret" : "hiAk_Y_vVbbbrDP_6sJJchJgKlwca",
              "responseType" : "code",
              "authorizationType" : "authorization_code",
              "scope" : "phone email address openid profile",
              "redirectURI" : "https://wso2.am:9443/publisher/jagg/jaggery_oidc_acs.jag",
              "postLogoutRedirectURI" : "https://wso2.am:9443/publisher/"
            }
          },

      Make sure to replace the following placeholders with the actual values.

      • <client-id> and the <client-secret> - Replace these with the credentials that you got when creating the API_PUBLISHER service provider.

      • <IdP-hostname> - Replace this with the hostname of the WSO2 Identity Server.

      • < IdP -port> - Replace this with the WSO2 IS port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
      • <APIM-port> - Replace this with the WSO2 APIM port
  3. Optionally, map the username claim with a claim of your choice.

    Note

    In order to use this feature, apply the WUM update for WSO2 API-M 2.6.0 released on 15-11-2018 (15th Nov 2018).

    Warning

    If you want to deploy a WUM update in to production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 API Manager when it is released. For more information on updating WSO2 API Manager using WUM, see Getting Started with WUM in the WSO2 Updates Guide.

    By default, in WSO2 API-M the username is mapped to the preferred_username claim. However, if you need WSO2 API-M to map the username to a different claim, follow the instructions below.

    1. Open the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file and the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json files.
    2. Add the usernameclaim usernameClaim property under the oidcconfiguration configurations sections in both the files and specify the OIDC claim to which you want to map the username claim.

      Localtab Group
      Localtab
      idformat
      titleFormat
      Code Block
      "oidcConfiguration" : {
       ...
       "usernameclaimusernameClaim":"<oidc_claim_name>",
      }
      Localtab
      idexample
      titleExample

      For example, if you want to use the user's email address as their username, then you would configure the site.json as follows:

      Code Block
      "oidcConfiguration" : {
       ...
       "usernameclaimusernameClaim":"email",
       ...
      }

Step 7 - Import the public certificate of the Identity Provider

...