1

I am currently doing a PoC on WSO2 API manager (v2.6.0). I am already having a Web application (Ex: Pizza booking) and also registered customers (end users) who is using the application for pizza booking. Now I wanted to bring the backend services of the pizza booking app such as,

  1. Choose store location,
  2. Book pizza,
  3. Track order, etc.

as APIs into the WSO2 API Manager. For this, I would create the required apis in API manager. Then I wanted to bring my existing web application users (end users) into the API manager and provide access to those apis.

What would be the best way to implement this?

  1. Bring my users under WSO2 identity server and use identity server as a key manager to my API manager?
  2. Bring my users under secondary user store/ use custom user store of API manager?

Out in that case, how would I provide access to particular API's (subscribing to API's) without logging to API manager store and subscribing manually for every user?

Also,

  1. What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?

  2. What can I do with this application?

  3. Is this same as the application we create before subscribing to an API in API manager store?

  4. Can I add users to this application and grant access to them in common?

  5. Can I subscribe to API's using this application so that all users under this application will have access to it?

Community
  • 1
  • 1
Hari krishna
  • 33
  • 4

2 Answers2

2

You can do it either way. Using IS as Key manager (if you already using IS), or adding as a secondary user store.

So, if you are already using WSO2 Identity Server in your deployment, configuring it as key manager (by sharing user stores), will automatically enable all the users in IS (with proper permission) to access the apis.

If you do not use the IS currently, the best option is to add as a secondary user store to the existing APIM deployment.

Please find the answers to the other questions below.

  1. What is the use of creating a Service provider and creating an Oauth application under Inbound authentication?
  2. What can I do with this application?
  3. Is this same as the application we create before subscribing to an API in API manager store?
  4. Can I add users to this application and grant access to them in common?
  5. Can I subscribe to API's using this application so that all users under this application will have access to it?

Answer

The Service Provider is created automatically when an Oauth application is created and generate keys. But, there are different aspects of these two entities.

  • The Service provider is generally used for generating application keys to get an access token to invoke the apis.

  • OAuth Application (when you create through API store) has several other uses such as subscribing to APIs, enforcing throttling policies for subscriptions etc.

In order to use the token generated by an Application, the respective API should be subscribed by the application. Otherwise, you will not be able to invoke that API although you have a valid access token.

You can subscribe to an API only from the OAuth application created through the API Store.

Your users can use the same OAuth application (which is created via Store portal and subscribed to an API) to generate an access token for them. That is by providing them with the application keys and using password grant type, they can generate token for them

Refer this documentation for more info on the token API and grant types. https://docs.wso2.com/display/AM260/Token+API

menaka_
  • 1,092
  • 1
  • 13
  • 23
  • Thanks for the clear explanation. Got the missing key. So the Oauth client application is for the application which is going to use the API and the access token is for the end user using the application?? – Hari krishna Feb 17 '20 at 12:44
  • Also how do I generate the access token (for end user with password grant type) with the Oauth application created while subscribing?? – Hari krishna Feb 17 '20 at 12:45
  • Yes. The Oauth application is used to generate tokens to access the particular api which is subscribed to. To generate access token from Password grant type, you need clientId, client secret. the request is curl -k -d "grant_type=password&username=&password=" -H "Authorization: Basic – menaka_ Feb 18 '20 at 02:05
1

Adding to what @Menaka has explained.

Your end-users don't have to subscribe to APIs. Only the application developer has to subscribe and embed the consumer key/secret to their app. Then the application should generate tokens for the end-users using those keypair+end user credentials.

Bee
  • 12,251
  • 11
  • 46
  • 73