- Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64. Encoding to base64 can be done using the URL:
Here's an example consumer key and secret combination :
- Access the Token API by using a REST client such as the
- Assuming that both the client and the API Gateway are run on the same server, the token API url is https://localhost:8243/token
- payload -
"grant_type=password&username=<username>&password=<password>&scope=<scope>". Replace the
<password>values as appropriate. <scope>
<scope> is optional, you can leave it off if necessary. And if you have multiple scopes, add them all seperated by a space.
- headers -
Authorization: Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace the
<base64 encoded string>as appropriate.
For example, use the following cURL command to access the Token API. It generates two tokens as an access token and a refresh token. You can use the refresh token at the time a.
curl -k -d "grant_type=password&username=<username>&password=<password>" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Code Block title CuRL command with Scopes
curl -k -d "grant_type=password&username=<username>&password=<password>&scope=<scope1> <scope2>" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Tip: If you define a scope for an API's resource, the API can only be accessed through a token that is issued for the scope of the said resource. For example, if you define a scope named 'update' and issue one token for the scopes 'read' and 'update', the token is allowed to access the resource. However, if you issue the token for the scope named 'read', the request to the API will be blocked.
The Token API endpoint is specified in
<APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xmlfile. When running the server on a different port from the default (i.e., 9443), or if your Key Manager is running on a different machine from your API Gateway, you must update the endpoint inside the
_TokenAPI_.xmlfile as described in the prerequisites.
Info icon false
User access tokens have a fixed expiration time, which is set to 60 minutes by default. Before deploying the API manager to users, extend the default expiration time by editing the
When a user access token expires, the user can try regenerating the token as explained in the Renew user tokens section. or Curl, with the following parameters.
- Log in to the API Manager's management console (https://localhost:9443/carbon) using admin/admin credentials and select Add under Identity Providers menu in the Main menu.
- Provide the following values to configure the IDP:
- Under Basic Information
- Identity Provider Name: Enter a unique name for IDP
Identity Provider Public Certificate: Export the public certificate of WSO2 IS and import it here.
Alternatively, you can create a self-signed certificate and then export it as a .cer file using the following commands:
keytool -genkey -alias wookie -keyalg RSA -keystore wookieKeystore.jks -keysize 4096 keytool -v -export -file keystore1.cer -keystore keystore1.jks -alias keystore1
- Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g., https://localhost:9443/oauth2/token
Under Federated Authenticators -> SAML2 Web SSO Configuration
Enable SAML2 Web SSO: true
Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP. You give this name when configuring the SP.
- Service Provider Entity Id: Issuer name given when configuring the SP
- SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.
- Under Basic Information
- Log in to the management console of the Identity Server and select Add under Service Providers menu in the Main menu.
- Choose to edit the service provider that you just registered and select SAML2 Web SSO Configuration.
- Provide the following values to configure the SP:
- Issuer: Give any name
- Assertion Consumer URL: The URL to which the IDP sends the SAML response. E.g., https://localhost:9443/store/jagg/jaggery_acs.jag
- Enable Response Signing: true
- Enable Assertion Signing: true
- Enable Audience Restriction: true
- Audience: URL of the token API. E.g., https://localhost:9443/oauth2/token
Let's see how to get a signed SAML2 token (encoded assertion value) when authenticating against a SAML2 IDP. With the authentication request, you pass attributes such as the SAML2 issuer name, token endpoint and the restricted audience. In this guide, we use a command-line client program to create the SAML2 assertion.
Get the SAML token using the client JAR.
An example command is given below. TestSP is the name of the issuer.
java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/dinusha/nothing/WSO2/API-Manager/saml-oauth/wso2is-5.0.0/rhbepository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
You receive the consumer key and consumer secret.
Anchor step7 step7
Retrieve the encoded assertion string.
Use the following format in a base64-url encoder (e.g., https://www.base64encode.org/) to encode the consumer key and consumer secret that you received in step 6.
Retrieve the OAuth Access token.
Use the base64-url Encoded Assertion String that you derived in step 7 as the value for
<ASSERTION_PROVIDED_BY_CLIENT>in the following command.
An example command is given below.
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ASSERTION_PROVIDED_BY_CLIENT>&scope=PRODUCTION" -H "Authorization: Basic <ASSERTION_PROVIDED_BY_CLIENT>, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
- The token to be revoked
- Consumer key and consumer secret key. Must must be encoded using Base64 algorithm.