Skip to main content

Exchanging SAML2 bearer tokens with OAuth2 tokens in WSO2 API Manager

To get access to a a managed API of WSO2 API Manager,a user has to pass an oauth token.From APIM 1.5.0 onwards a user can exchange his SAML2 token to obtain an OAuth2 token.This feature will be useful,in the following use-case :
Most of enterprise applications use SAML2 to engage a third-party identity provider to grant access to systems that are only authenticated against the enterprise application. These enterprise applications might need to consume OAuth-protected resources through APIs, after validating them against an OAuth2.0 authentication server. However, an enterprise application that already has a working SAML2.0 based Single Sign On infrastructure between itself and the IDP prefers to use the existing trust relationship, even if the OAuth authorization server is entirely different from the IDP. The SAML2 Bearer Assertion Profile for OAuth2.0 helps leverage this existing trust relationship by presenting the SAML2.0 token to the authorization server and exchanging it to an OAuth2.0 access token and then use that OAuth token to get access to APIs.
WSO2 API Manager provides SAML2 Bearer Assertion Profile Support with the OAuth 2.0 feature. WSO2 Identity Server (version 4.5.0 onwards) or any other SAML2 Identity provider can act as an identity service provider for the systems enabled with SSO. WSO2 API Manager acts as the OAuth authorization server. This way, an enterprise application can exchange the SAML2.0 bearer token that it retrieves when authenticating against an IDP (e.g., WSO2 Identity Server) with an OAuth2.0 access token from an OAuth authorization server (e.g., WSO2 API Manager). It can then use the OAuth2 token in API invocations.
SAML 2.0 is an XML-based protocol . It uses security tokens containing assertions to pass information about an enduser between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).


[1]: User initiates the login call to an enterprise application .
[2]
  • As the application is a SAML Service Provider[SP], it redirects the user to the SAML2.0 IDP to log in. 
  • The user provides credentials at the IDP and is redirected back to SP with a SAML2.0 token signed by the IDP. 
  • The SP verifies the token and logs the user to the application. 
  • The SAML 2.0 token is stored in the user's session by the SP.  
[3]:
  • The enterprise application (SP) wants to access an OAuth2 protected API resource through WSO2 API Manager.
  • The application makes a request to the API Manager to exchange the SAML2 bearer token for an OAuth2.0 access token.
  • The API Manager validates the assertion and returns the access token.
[4]:       With the above returned oauth access token in step [3],API invocation through the API Manager will be happened successfully

Steps


  • A signed SAML2 token (encoded assertion value), which you retrieve when authenticating against a SAML2 IDP is required. With the authentication request, you must pass attributes such as SAML2 issuer name, token endpoint and the restricted audience.
           To try out saml2 token grant type token generation with WSO2 IS/WSO2 APIM itself as               IDP,you can use the saml2 client included in here and execute that java client with the               command mentioned in it
  • Then it need to register a Trusted Identity Provider entry against above used IDP in WSO2 APIM,in-order to use the above generated saml2 token. Log in to the APIM management console (https://ip:port/carbon) using admin/admin credentials and select Trusted  Identity Providers sub menu from the Configure menu. 

  • Provide the following values in the page that opens:
    • Identity Provider Name: Enter a unique name for idP [Your SAML2 IDP]
    • Identity Provider Issuer : The SAML2 issuer name specified when generating assertion token, which contains the unique identifier of the IDP
    • Identity Provider Url : OAuth endpoint URL to which SAML2.0 assertion is delivered. It is defined with SAML2 assertion recipient when generating SAML2.0 assertion token.
    • Identity Provider Public Certificate:  Upload Identity Provider public certificate.You can generate this by keytool command as follow: 
  • keytool -export -alias {alias} -file {fcertificateFileNameToBeCreated} -keystore {jks_file_name}
    • Identity Provider Audience : The audience to which the SAML2 assertion is restricted. This URI is used when generating SAML2.0 assertion token.For example ,in this use-case,since saml2 token will be used by APIM,audience value can be added as https://{ip_apim:port_apim}/oauth2/token

  • A valid consumer key and consumer secret need to be generated. Initially, these keys must be generated through APIStore by clicking the Generate link on My Subscriptions page. For more information, see Working with Access Tokens. 

Invoking Token API to generate user tokens   

Follow the steps below to invoke Token API to generate user tokens from SAML2 assertions.
  1. Combine the consumer key and consumer secret keys as consumer-key:consumer-secret and encode the combined string using base64 using http://base64encode.org
  2. Access the Token API using a REST client such as the WSO2 REST Client or Curl. The parameters are explained below:
    For example, use the following cURL command used to access the Token API generates an access token and a refresh token. You can use the refresh token at the time a token is renewed
    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion={generated_saml2_token}&scope=PRODUCTION" -H "Authorization: Basic {base64encoded consumer key:secret}" https://ip_apim:port_apim/token




Comments

  1. SandraJuly 15, 2020 at 4:45 AM

    Comparing to your mentioned tool for base4 encoding. You can also refer to that link
    url-decode.com/tool/base64-encode for base64 decode and encode, and also can avail the dozen others web tools under that link.

    ReplyDelete

Post a Comment

Popular posts from this blog

Convert an InputStream to XML

For that we can use DocumentBuilder class in java. By using the method parse(InputStream) ; A new DOM Document object will return. InputStream input; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder parser = factory.newDocumentBuilder(); Document dc= parser.parse(input); In the above code segment,by using the created Document object,the corresponding XML file for the inputStream can be accessed. References: http://www.w3schools.com/dom/dom_intro.asp http:// download.oracle.com/javase/1.4.2/docs/api/javax/xml/parsers/DocumentBuilder.html
2 comments
Read more

CORS support from WSO2 API Manager 2.0.0

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources  on a web page to be requested from another domain outside the domain from which the first restricted resource was served. For example, an HTML page of a web application served from http://domain-a.com makes an <img src >  request for a different domain as 'domain-b.com' to get an image via an API request.  For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts as in above example and only allows to make HTTP requests to its own domain. To avoid this limitation modern browsers have been used CORS standard to allow cross domain requests. Modern browsers use CORS in an API container - such as  XMLHttpRequest  or Fetch - to mitigate risks of cross-origin HTTP requests.Thing to  note is it's not only sufficient that the browsers handle client side of cross-origin sharing,but also the servers from which these resources getting need to handl
Post a Comment
Read more

[WSO2 AM] APIStore User Signup as an approval process

In previous versions of WSO2 APIManager before 1.6.0, it was allowed any user who's accessible the running APIStore come and register to the app.But there will be requirement like,without allowing any user to signup by him/her self alone,first get an approve by a privileged user and then allow to complete app registration.Same requirement can be apply to application creation and subscription creation as well.To fulfill that,we have introduced workflow extension support for  WSO2 APIManager  and you can find the introductory post on this feature from my previous blog post on " workflow-extentions-with-wso2-am-160 " . From this blog-post,I'll explain how to achieve simple workflow integration with default shipped resources with  WSO2 APIManager 1.6.0 and WSO2 Business Process Server 3.1.0 with targeting "user-signup" process. Steps First download the WSO2 APIManager 1.6.0[AM] binary pack from product download page . Extract it and navigate to
Post a Comment
Read more