This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Download the binary located here and deploy it in a Tomcat server.


    Alternatively, you can build the OAuth Server from scratch and start the server by issuing the mvn jetty:run command in the api-authorization-server-war folder. Detailed steps for building and starting the server are provided here.


    Tip: The Surf OAuth web application that you just downloaded has the following customizations:

    • The file is copied to the classpath.
    • All the URLs starting with localhost are replaced by the loopback IP (
    • org.surfnet.oaaas.noop.NoopAuthenticator authenticator is set as the default authenticator.
    • Token expiry time is increased to 99999 seconds. This ensures that the tokens issued for the web client last several months.
  2. Move the web application to the ROOT context to ensure that the Surf Oauth web applications work on Tomcat.

    Code Block
    rm -rf tomcat7/webapps/ROOT
    mv tomcat7/webapps/surf-oauth tomcat7/webapps/ROOT
  3. Access to see the following page:

    The server is now up and running. 
  4. Follow the steps below to create a resource server.
    1. In Surf OAuth, click the Resource Servers link where all the OAuth clients are grouped together.
    2. Register a resource server representing WSO2 API Manager. 
    3. Add two scopes named test and scope1 and save your changes.
      You will use them when creating clients.

      The front end is now registered as a distinct client with the authorization server. 
  5.  Follow the steps to create an OAuth Client.
    1. Click the Access Tokens link and note all the tokens issued for the web client.
      These tokens are obtained at the time you sign in, by a Javascript client running on the browser. The same token is then used for subsequent operations.
    2. Pick an active access token from the above list.
      You use it to create clients through WSO2 API Manager. 
    3. Get a registration endpoint that is needed to register the client.
      As Surf OAuth doesn’t support a spec-compliant client registration yet, you can use an endpoint with similar capabilities. For example, as shown below, you can enable Developer Tools in Google Chrome to see the URL and the request:


  1. Build the demo.client available at

  2. Copy the JAR files that you built into the <API-M_HOME>/repository/components/lib directory.


    If you are setting up a distributed environment, copy and paste the JAR files that you built into the respective directories given below in the Key Manager node and the Store node respectively.

    • API Key Manager - <API-M_KEY_MANAGER_HOME>/repository/components/lib

    • API Store - <API-M_STORE_HOME>/repository/components/lib

  3. Uncomment the <APIKeyManager> element in the /repository/conf/api-manager.xml file, which is in the API Key Manager and API Store, and update the values based on your third-party implementation.


    Tip: Be sure to replace the <RegistrationEndpoint> and <AccessToken> elements with the client registration endpoint and the access token you obtained earlier in step 7 and 6. ConsumerKey and Secret should be that of the created resource server. In addition, change the <hostname> in the <IntrospectionURL> accordingly.


    The nl.surfnet.demo.SurfOAuthClient class, which is mentioned in the following example, extends the Key Manager interface.

    Code Block
                <RegistrationEndpoint><Give the client registration endpoint you got in step 7></RegistrationEndpoint>
                <AccessToken><Give the access token you got in step 6></AccessToken>

    For a sample on Key Manager implementation, see the WSO2 default Key Manager implementation.