This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Page Comparison - Configuring a Third-Party Key Manager (v.10 vs v.11) - API Manager 1.10.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Download the binary located here  and  and deploy it in a tomcat server. Alternatively, you can build the OAuth Server from scratch and start the server by issuing the  mvn jetty:run command in the api-authorization-server-war folder. 


    Tip: We have done the following changes to the Web application you just downloaded:

    • file is copied to the classpath.
    • All the URLs starting with localhost are replaced by the loop back IP (
    • org.surfnet.oaaas.noop.NoopAuthenticator authenticator is set as the default authenticator.
    • Token expiry time is increased to 99999 seconds. This ensures that the tokens issued for the Web client lasts several months.
  2. Move the Web application to the ROOT context to ensure that the Surf Oauth Web applications works on Tomcat.

    Code Block
    rm -rf tomcat7/webapps/ROOT
    mv tomcat7/webapps/surf-oauth tomcat7/webapps/ROOT
  3. Access to see the following page:
    The server is now up and running. Next, let's create a Resource Server and an OAuth Client.
  4. In Surf OAuth UI, click the Resource Servers link where all the OAuth clients are grouped together, and register a resource server representing WSO2 API Manager. Also, add two scopes named test and scope1. You will use them when creating clients.
    The front end is now registered as a distinct client with the authorization server. 
  5. Click the Access Token link and note all the tokens issued for the Web client. These tokens are obtained at the time you log in, by a Javascript client running on the browser. The same token is then used for subsequent operations.
  6. Pick an active access token from the above list. You use it to create clients through the API Manager. 
  7. Get a registration endpoint to register the client with. As Surf OAuth doesn’t support a spec-compliant client registration yet, you can use an endpoint with similar capabilities. For example, you can enable Developer Tools in Google Chrome to see the URL and the request being sent as shown below: