1

We currently use WSO2 Api Manager to reach some backends. The thing is, the consumer must :

  1. First authenticate to the API Manager (Oauth)
  2. Then authenticate to the Backend api (Whatever security in place, as options provided by API Manager to handle it itself is quite poor)
  3. Make the call

I find it heavy :

  • Many calls just to do one real call.
  • Loose the "loose coupling" advantage API Managers should provide

Do you think we are doing right ? Shouldn't Api Managers deal with backend authentication ?

Thanks in advance for your help !

tacou_st
  • 109
  • 1
  • 9

1 Answers1

1

This depends on how you want to do this. It is not mandatory to have Oauth2 protection and backend authentication. This can be done in the following ways.

  1. If you want only to allow backend authentication

Then you can set the Authentication type to None. Then Oauth2 won't apply. - https://wso2.com/blogs/cloud/oauth-and-authentication-type-application-vs-application-user/

  1. You can allow Oauth2 only

If your backend is insecure and needs a way to expose, this is the best option.

  1. If you need both authentications

There can be some cases that your backend is used by some other parties and there is no option to remove backend authentication. Also, you need the Oauth2 protection for the API and make it secure in API gateway level. Then this is the option.

Hope this is clear. WSO2 has these capabilities and you can chose any option.

Pubci
  • 3,834
  • 1
  • 13
  • 28
  • Maybe I was not clear. Let's take an example : I have a third party service that provides geolocation. This service is secured by oauth2 (token, refresh token, etc...). I want all my corporate applications to use this service through my API Manager. I expect that **no third party credentials should be stored by my applications**, but stored in my API Manager. Is this a good practice and how can I do it with WSO2 AM ? – tacou_st Jun 09 '18 at 10:02
  • Yes, this is a good practice. You can expose your third-party service via API Manager. As I mentioned previously, you can make API secure or unsecure. If you secure, your application needs a token to call the API. If you set to unsecure, then it can directly call the API. You can refer the article to connect Oauth2 protected backends. https://medium.com/@menakajayawardena/wso2-how-to-using-oauth2-protected-back-ends-with-api-manager-5d7e234c61c – Pubci Jun 10 '18 at 00:58