The Key Manager handles all clients, security and access token-related operations. In a typical API Manager production deployment, different components talk to the Key Manager component for achieving different tasks. The API Gateway connects with the Key Manager to check the validity of OAuth tokens, subscriptions and API invocations. When a subscriber generates an access token to the application using the API Store, the Store makes a call to the API Gateway, which in turn connects with the Key Manager to create an OAuth App and obtain an access token. Similarly, to validate a token, the API Gateway calls the Key Manager, which fetches and validates the token details from the database. For more information, see Key Manager.
The Key Manager decouples OAuth client and access token management from the rest of its operations, so that you can plug in a third-party OAuth provider for managing OAuth clients and access tokens. Let's see what basic steps to follow when writing a Key Manager implementation that acts as the bridge between a third-party OAuth provider and the API Manager.
In this guide, we use the Surf OAuth Authorization Server for managing OAuth clients and tokens required by the API Manager. We have a sample client implementation that consumes APIs exposed by Surf OAuth.
Starting the authorization server
Download the binary located here and deploy it in a tomcat server. Alternatively, you can build the OAuth Server from scratch and start the server by issuing the
mvn jetty:runcommand in the
Tip: We have done the following changes to the Web application you just downloaded:
apis.application.propertiesfile is copied to the classpath.
- All the URLs starting with
localhostare replaced by the loop back IP (127.0.0.1)
org.surfnet.oaaas.noop.NoopAuthenticatorauthenticator is set as the default authenticator.
- Token expiry time is increased to 99999 seconds. This ensures that the tokens issued for the Web client lasts several months.
Move the Web application to the ROOT context to ensure that the Surf Oauth Web applications works on Tomcat.
- Access http://127.0.0.1:8080/ to see the following page:
The server is now up and running. Next, let's create a Resource Server and an OAuth Client.
- In Surf OAuth UI, click the Resource Servers link where all the OAuth clients are grouped together, and register a resource server representing WSO2 API Manager. Also, add two scopes named
scope1. You will use them when creating clients.
The front end is now registered as a distinct client with the authorization server.
- Pick an active access token from the above list. You use it to create clients through the API Manager.
- Get a registration endpoint to register the client with. As Surf OAuth doesn’t support a spec-compliant client registration yet, you can use an endpoint with similar capabilities. For example, you can enable Developer Tools in Google Chrome to see the URL and the request being sent as shown below:
Configuring the API Manager
Build the demo.client available at https://github.com/Rajith90/surf-oauth-demo/tree/v2.1.0 and copy the built JAR to
<KM_HOME>/repository/components/libfolder. Note that
<KM_HOME>is the API Manager distribution folder where the Key Manager is set up.
<APIKeyManager>element in the
<KM_HOME>/repository/conf/api-manager.xmlfile and change the values according to your third-party implementation.
Tip: Be sure to replace the
<AccessToken>elements with the client registration endpoint and the access token you obtained earlier in step 7 and 6. ConsumerKey and Secret should be that of the created Resource Server. Also change the
Tip : See the WSO2 default Key Manager implementation for a sample Key Manager implementation.
Running the sample
You have connected the API Manager with a third-part authorization server. Let's see how the API Manger creates OAuth clients at Surf OAuth when applications are registered in the API Store. In this guide, we use the WSO2 APIs to test invoke this process.
- Start the API Manager.
Log in to the API Store and create an application.
Register an OAuth client of type PRODUCTION the authorization server. Note that you are sending the specific parameters required by the OAuth Server in JSON.
- Go to the Client Applications link in the Surf OAuth UI and note the newly created client listed there.
You have now created an application and registered an OAuth Client corresponding to it. Let’s see how to validate tokens by subscribing to a SurfClient application and obtaining a token.
- Log in to the API Publisher and deploy the sample API (
PizzaShackAPI) if you haven't done so already.
Assuming you still have the OAuth client created earlier, subscribe to this API as follows:
Let's obtain a token from the OAuth Provider.
Go to the Edit view of the OAuth client and make sure the client_credentials grant type is enabled, and a token expiration time is specified.
Obtain a token. Replace
<ConsumerKey:ConsumerSecret>with the Base64 encoded ConsumerKey:ConsumerSecret of the client application you just created.
- Update the token endpoint in the
- Update the revoke endpoint in the
- If you use the authorization code grant type to generate tokens, update the authorize endpoint in the
Invoke the API using the token obtained.