WSO2 Security Subscribe API

Question

I am currently working with WSO2 apim 3.2.
I have Angular apps that use api exposed on WSO2 APIM.
End-users of these Angular applications authenticate and retrieve a token (OAuth2) directly with Keycloak.
WSO2 generates:

<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
    <ams:code>900908</ams:code>
    <ams:message>Resource forbidden </ams:message>
    <ams:description>User is NOT authorized to access the Resource. API Subscription validation failed.</ams:description>
</ams:fault> 

I understand that WSO2 wants to recognize the application that wants to use the APIs.
I do have to add in the HTTP requests an apikey or a second token generated from WSO2, to authenticate my Angular applications but :
I want to condition the use of APIs to the presence of the token generated from Keycloak by end-users.
And no other protection/subscription.
How to configure WSO2 for this ?
Maybe there are best practices ? And that's not a good idea.

A schema of the target

I don't want to use apikey but I tested.
WSO2 allows HTTP requests if they contain the apikey.
But WSO2 does not verify the token.
configuration

Thanks

Answer 1

You can configure Keycloak as a key manager in WSO2 API Manager. Please check the reference here - https://apim.docs.wso2.com/en/3.2.0/administer/key-managers/configure-keycloak-connector/#step-1-configure-keycloak.

When you log into the Developer portal, you will see the key cloak as a key manager and you can generate a key from Keycloak. Then you can use the same token to access the API request in the Developer portal.

In your case, you can get a token from the key cloak and WSO2 uses the jwks endpoint or provided cert to validate the key cloak token.