How to publish WSO2 API on WSO2?

Question

I have a special requirement. I want to access WSO2 backen API. So,I want to publish it on WSO2. So that,my service can access WSO2'API. Can someone tell me how to do it?

Answer 1

WSO2 API Manager exposes a REST API to for operations like publish and subscribe. You can see the list of all the services here: https://docs.wso2.com/display/AM200/Published+APIs.

It also offers Swagger definition files for those same APIs: https://raw.githubusercontent.com/wso2/carbon-apimgt/v6.0.4/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher/src/main/resources/publisher-api.yaml.

I haven't tried it, but given the fact that all you need to publish a managed API in WSO2 is a Swagger file and an existing endpoint, there is nothing preventing you to create an API for WSO2 APIM inside itself.

Answer 2

Theoretically, this should be fine.

WSO2 API manger plays the middleware role for its own APIs just as for any other third party API.

Let's say that you want to publish any of the Admin APIs of the api manager through the api manager itself. You just need to add endpoint information just as you would do for any other api. Then, once a user wants to access the api, they have to first get a access token by calling the token endpoint, then use that token to execute the published api.

Answer 3

Access you API-Manager on: http://localhost:9443/publisher

• Click on your api
• Click on tab "Lifecycle"
• Click on "Publish"

Answer 4

WS02 API means are you referring to Wso2 API manager? Because you can also implement API's using Wso2 ESB.

You can have more control over the code of API using Wso2 ESB but you cannot have throttling and other control using ESB you have to use APIM.

Answer 5

You shoould have an endpoint to connect your API. Then follow the below steps

1. Login in your API Manager (Publisher) Instance.
2. + Add new API
3. If you have an endpoint: Click on Design a new Rest API
4. Fill the values like name, context, version and description.
5. Add a new API Specification. (i.e: GET /test)
6. Click on Next:Implement
7. Select Managed API
8. Endpoint Type: HTTP/REST Endpoint
9. Endpoint: Fill your endpoint's url without context.
10. Click on Next: Manage
11. Fill values like type of subscription.
12. If you have a public API, don't forget change the second column of your API specification resources. Change the value for: None
13. Click on Save & Publish
14. Go to WSO2 Store and check

Answer 6

While going through the answers and the replies that you have provided, I believe you know how to publish an API with a WSO2 API as an endpoint. However, your concern is how to handle the authorization since the backend itself needs a valid OAuth token to be invoked? Please correct me if my understanding is wrong.

If that is the case, I believe you can simply achieve it with a help of a custom mediation. The below sample mediation is to invoke the token endpoint and generate a token. Once the token is generated you can simply add that to the request header.

<?xml version="1.0" encoding="UTF-8"?>
<sequence name="simple-token-gen" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
    <property description="access_token" expression="get-property('registry', 'local:/api-backend-credentials/pizzaOrderingAPI/access_Token')" name="access_token" scope="default" type="STRING"/>
    <property description="generated_time" expression="get-property('registry','local:/api-backend-credentials/pizzaOrderingAPI/generated_Time')" name="generated-time" scope="default" type="LONG"/>
    <property description="client_credentials" name="app-client-auth" scope="default" type="STRING" value="{base64encoded(clientKey:clientSecret)}"/>
    <property expression="json-eval($)" name="message-body" scope="default" type="STRING"/>
    <property expression="get-property('axis2','REST_URL_POSTFIX')" name="resource" scope="default" type="STRING"/>
    <filter description="" xpath="get-property('SYSTEM_TIME') - get-property('generated-time') > 3600000 or get-property('access_token') = ''">
        <then>
            <payloadFactory media-type="xml">
                <format>
                    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                        <soapenv:Body>
                            <root xmlns="">
                                <grant_type>client_credentials</grant_type>
                            </root>
                        </soapenv:Body>
                    </soapenv:Envelope>
                </format>
                <args/>
            </payloadFactory>
            <header expression="fn:concat('Basic ', get-property('app-client-auth'))" name="Authorization" scope="transport"/>
            <header name="Content-Type" scope="transport" value="application/x-www-form-urlencoded"/>
            <property description="messageType" name="messageType" scope="axis2" type="STRING" value="application/x-www-form-urlencoded"/>
            <property description="REST_URL_POSTFIx" name="REST_URL_POSTFIX" scope="axis2" type="STRING" value=""/>
            <call blocking="true">
                <endpoint name="token">
                    <http method="post" uri-template="{token-endpoint-url}"/>
                </endpoint>
            </call>
            <property expression="get-property('resource')" name="REST_URL_POSTFIX" scope="axis2" type="STRING"/>
            <property description="generated Time Setter" expression="get-property('SYSTEM_TIME')" name="local:/api-backend-credentials/pizzaOrderingAPI/generated_Time" scope="registry" type="LONG"/>
            <property description="generated_token" expression="json-eval($.access_token)" name="generated-access-token" scope="default" type="STRING"/>
            <property description="new Token setter" expression="get-property('generated-access-token')" name="local:/api-backend-credentials/pizzaOrderingAPI/access_Token" scope="registry" type="STRING"/>
            <header expression="fn:concat('Bearer ', get-property('generated-access-token'))" name="Authorization" scope="transport"/>
            <payloadFactory media-type="json">
                <format>
                    $1
                </format>
                <args>
                    <arg evaluator="xml" expression="get-property('message-body')"/>
                </args>
            </payloadFactory>
        </then>
        <else>
            <header expression="fn:concat('Bearer ', get-property('access_token'))" name="Authorization" scope="transport"/>
        </else>
    </filter>
</sequence>

Replace the placeholders with corresponding values.

• {base64encoded(clientKey:clientSecret)} - The client key and client secret, separated by a colon and base64 encoded. {token-endpoint-url}
• The token endpoint URL of the backend authorization server.

I believe this helps you with your concern.

Answer 7

Please note I am referring to APIM 4.0.0 in my below answer, so if you are using a different version please follow doc links specific to that APIM version. I suppose you are trying to expose one of these APIs[1] through API Manager Gateway. Please find the step by step guide below.

1. Log into APIM publisher portal and create a REST API. Use 'Import OpenAPI' option. As the OpenAPI URL specify the link to swagger.yaml file in the carbon-apimgt release tag. For APIM 4.0.0 this would be v9.0.174.

Ex : Publisher API definition URL : https://raw.githubusercontent.com/wso2/carbon-apimgt/v9.0.174/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1/src/main/resources/publisher-api.yaml

Devportal API Definition URL : https://raw.githubusercontent.com/wso2/carbon-apimgt/v9.0.174/components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/resources/devportal-api.yaml

As the endpoint URL of the API please provide the base URL for the product REST API you are trying to proxy. This will be auto populated from the openAPI definition but make sure to update the host and port to match your deployment.

Ex: publisher : https://<APIM_HOST>:/api/am/publisher/v2 - https://localhost:9443/api/am/publisher/v2

Devportal : https://<APIM_HOST>:/api/am/devportal/v2 - https://localhost:9443/api/am/devportal/v2

2. APIM endpoints are OAuth2 protected. Therefore you have to provide a valid backend access token when invoking the API created in 1. To configure this we need to configure backend endpoint security for the API endpoint [2]. First register a DCR application and obtain client ID and secret by following the Authentication steps in [3]. Next configure OAuth2 endpoint security for the endpoint as shown below.

3. Deploy and publish the API, now you should be able to invoke it though the APIM gateway.

Note: please note that OAuth2.0 support for backend security might not be available with older API versions. In that case you will have to implement it via a custom mediation as instructed in answer [4].

[1]. https://apim.docs.wso2.com/en/4.0.0/reference/product-apis/overview/

[2]. https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/

[3]. https://apim.docs.wso2.com/en/4.0.0/reference/product-apis/publisher-apis/publisher-v2/publisher-v2/#section/Authentication

[4]. https://stackoverflow.com/a/68254857/16927117

Answer 8

If I understood correctly, It has no sense to publish WSO2 AM APIs in the API Manager. First reason is that WSO2 AM APIs are accesed by Basic Auth, that it is not implemented by default in WSO2 AM. The default security for APIs en WSO2 is OAuth2, so you would have to do a extension for that. You may check here: https://docs.wso2.com/display/AM260/apidocs/publisher/#guide

Also, these internal APIs for WSO2 AM are meant to be accesed by an admin or so, so it has no sense to expose these as an API to be consumed for other suscriptors.

Anyway, if you implemented an authenticator to run with Basic Auth, you may expose this APIs in API Manager, or expose these APIs disabling default OAuth2 security.

BR