This documentation is for WSO2 API Manager 1.5.0 View documentation for the latest release.
Page Comparison - Token APIs (v.28 vs v.29) - API Manager 1.5.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can use the /authorize endpoint to utilize for the authorization code grant type of OAuth2.0. Since As this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a Web browser) and receiving incoming requests (via redirection) from the authorization server.

...

WSO2 API Manager provides SAML2 Bearer Assertion Profile Support with the OAuth 2.0 feature. WSO2 Identity Server (version 4.5.0 onwards) or any other SAML2 Identity provider can act as an identity service provider for the systems enabled with SSO. WSO2 API Manager acts as the OAuth authorization server. This way, an enterprise application can exchange the SAML2.0 bearer token that it retrieves when authenticating against an IDP (e.g., WSO2 Identity Server) with an OAuth2.0 access token from an OAuth authorization server (e.g., WSO2 API Manager). It can then use the OAuth2 token with in API invocations.

The diagram below depicts this scenario:

  
 
The scenarios of the above diagram are explained below:

Scenario [1] A user initialize the flow with a : User initiates login call to an enterprise application .

Scenario [2] The application being :

  • As the application is a SAML SP, it redirects the user to the SAML2.0 IDP

...

  • to log in.
  • The user

...

  • provides credentials at the IDP and is redirected back to SP with a SAML2.0 token signed by the IDP.
  • The SP verifies the token and

...

  • logs the user to the application.
  • The SAML 2.0 token

...

  • is stored in the user's session by the SP. 

Scenario [3]:

  • The enterprise application

...

  • (SP

...

  • ) wants to access an OAuth2 protected API resource through WSO2 API Manager

...

  • .
  • The application makes a request to

...

  • the API Manager to exchange the SAML2 bearer token for an OAuth2.0 access token.
  • The

...

  • API Manager validates the assertion and

...

  • returns the access token.

Then with the returned OAuth2 access token to the application,Scenario [4]: User does API invocations through the API Manager by setting it as an Authorization header ,user can do further API invocations through WSO2 API Manager.  with the returned OAuth2 access token.

Prerequisites

To exchange with an OAuth 2.0 token from WSO2 API Manager, an application [end user] should have a signed SAML2.0 token [encoded SAML2.0 assertion value] which is retrieved after trying authenticate against a SAML2.0 Identity Provider [For example WSO2 Identity Server 4.5.0].When generating such a SAML2.0 signed token from an IDP,the end user need to pass some attributes like SAML2.0 issuer name,the restricted audience,etc with the SAML2.0 authenticate request. Additionally those attributes as SAML2.0 issuer name,the restricted audience,token endpoint needed to be pre-defined under the section of <SAML2Grant> configuration element in the identity.xml of the location <APIM_Home>/repository/conf.For example ;

...