Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

Shiva Kumar
Hi,

I have to use Google, Facebook or any third party Identiy provider just to authenticate users and giving access to my APIs by generating access token in my WSO2. I know Identity server support it but because of resource constraints I want this to be achieved through only WSO2 API Manager. Is there any work around also please suggest me.

Thank You,
Shiva Kumar

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

tharindue
Hi Shiva,

If the external Identity Provider supports SAML based authentication, then you can do this straight away using only the API Manager 2.1.0.

For that, you can create an IDP from the Management Console and under the Federated Authenticators, you can add SAML configuration related to the external IDP. (See the attached image IDP_Config.png).

Then, when you have the APIs published from the publisher, you can go the store, create an application and subscribe for the published APIs. There, when you generate the Keys for the application, in the Management Console you can see that a corresponding service provider getting automatically registered for that application. (See the attached image List_SPs.png).

Then, in that service provider configuration, under the Local and Outbound Authentication section, you can link the federated authenticator which you have already added as an IDP (SAML based).

This way, when the OAuth request comes to API Manager for generating an access token for the particular application (service provider), API Manager will perform the federated authentication flow.

I have tested this with an external SAML based IDP and it worked.

If you need to use facebook, by default the facebook federated authenticator feature is not installed in API Manager. If we can get the feature installed, then similarly we should be able to get facebook also to working in the same way. However we haven't tested that out.

Thanks,
Tharindu Edirisinghe



On Wed, Dec 6, 2017 at 2:32 PM, Shiva Kumar K R <[hidden email]> wrote:
Hi,

I have to use Google, Facebook or any third party Identiy provider just to authenticate users and giving access to my APIs by generating access token in my WSO2. I know Identity server support it but because of resource constraints I want this to be achieved through only WSO2 API Manager. Is there any work around also please suggest me.

Thank You,
Shiva Kumar

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

IDP_Config.png (161K) Download Attachment
List_SPs.png (73K) Download Attachment
SP_Config.png (81K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

Youcef HILEM
Hi Tharindu,

Thank you fou your reponse.

Installation of other authenticators is not possible because of
incompatibility in the dependencies.
Issue : https://github.com/wso2/carbon-apimgt/issues/4776

As long as this issue is not resolved, it is not possible to integrate other
authenticators.

Thanks
Youcef HILEM




--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Development-f3.html
_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

Shiva Kumar
In reply to this post by tharindue
Hi Tharindu,

Thank you so much for your response.
I already have registered with Google an OAuth app and got client credentials, I will tell my requirement properly below, please suggest me any solution.
1) I obtain WSO2 client credentials in API store for my application.
2) I will also obtain Google OAuth app client credentials.
3) I need to configure WSO2 in such a way that when I request http://localhost:8243/authorize, it should redirect to Google authentication page.
4) User will authenticate with Google and it will redirect to WSO2 to generate authorization code and WO2 will provide me that code.
5) User app then request http://localhost:8243/token to get access token to call my APIs.

Is this possible with some customization or adding a feature that support this flow instead of using Identity Server 5.3.0.

On Thu, Dec 7, 2017 at 8:07 AM, Tharindu Edirisinghe <[hidden email]> wrote:
Hi Shiva,

If the external Identity Provider supports SAML based authentication, then you can do this straight away using only the API Manager 2.1.0.

For that, you can create an IDP from the Management Console and under the Federated Authenticators, you can add SAML configuration related to the external IDP. (See the attached image IDP_Config.png).

Then, when you have the APIs published from the publisher, you can go the store, create an application and subscribe for the published APIs. There, when you generate the Keys for the application, in the Management Console you can see that a corresponding service provider getting automatically registered for that application. (See the attached image List_SPs.png).

Then, in that service provider configuration, under the Local and Outbound Authentication section, you can link the federated authenticator which you have already added as an IDP (SAML based).

This way, when the OAuth request comes to API Manager for generating an access token for the particular application (service provider), API Manager will perform the federated authentication flow.

I have tested this with an external SAML based IDP and it worked.

If you need to use facebook, by default the facebook federated authenticator feature is not installed in API Manager. If we can get the feature installed, then similarly we should be able to get facebook also to working in the same way. However we haven't tested that out.

Thanks,
Tharindu Edirisinghe



On Wed, Dec 6, 2017 at 2:32 PM, Shiva Kumar K R <[hidden email]> wrote:
Hi,

I have to use Google, Facebook or any third party Identiy provider just to authenticate users and giving access to my APIs by generating access token in my WSO2. I know Identity server support it but because of resource constraints I want this to be achieved through only WSO2 API Manager. Is there any work around also please suggest me.

Thank You,
Shiva Kumar

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Adding Google as identity provider to WSO2 API Manager 2.1.0 without integrating WSO2 Identiy Server

tharindue
Hi Shiva,

If we can get the google authenticator [1] feature installed on APIM 2.1.0 successfully, then your requirement is possible.

I'm thinking of a solution where we manually build the authenticator to support APIM and getting it installed.

I've added few members from the API Manager Dev team to get some help here.

On Thu, Dec 7, 2017 at 11:04 AM, Shiva Kumar K R <[hidden email]> wrote:
Hi Tharindu,

Thank you so much for your response.
I already have registered with Google an OAuth app and got client credentials, I will tell my requirement properly below, please suggest me any solution.
1) I obtain WSO2 client credentials in API store for my application.
2) I will also obtain Google OAuth app client credentials.
3) I need to configure WSO2 in such a way that when I request http://localhost:8243/authorize, it should redirect to Google authentication page.
4) User will authenticate with Google and it will redirect to WSO2 to generate authorization code and WO2 will provide me that code.
5) User app then request http://localhost:8243/token to get access token to call my APIs.

Is this possible with some customization or adding a feature that support this flow instead of using Identity Server 5.3.0.

On Thu, Dec 7, 2017 at 8:07 AM, Tharindu Edirisinghe <[hidden email]> wrote:
Hi Shiva,

If the external Identity Provider supports SAML based authentication, then you can do this straight away using only the API Manager 2.1.0.

For that, you can create an IDP from the Management Console and under the Federated Authenticators, you can add SAML configuration related to the external IDP. (See the attached image IDP_Config.png).

Then, when you have the APIs published from the publisher, you can go the store, create an application and subscribe for the published APIs. There, when you generate the Keys for the application, in the Management Console you can see that a corresponding service provider getting automatically registered for that application. (See the attached image List_SPs.png).

Then, in that service provider configuration, under the Local and Outbound Authentication section, you can link the federated authenticator which you have already added as an IDP (SAML based).

This way, when the OAuth request comes to API Manager for generating an access token for the particular application (service provider), API Manager will perform the federated authentication flow.

I have tested this with an external SAML based IDP and it worked.

If you need to use facebook, by default the facebook federated authenticator feature is not installed in API Manager. If we can get the feature installed, then similarly we should be able to get facebook also to working in the same way. However we haven't tested that out.

Thanks,
Tharindu Edirisinghe



On Wed, Dec 6, 2017 at 2:32 PM, Shiva Kumar K R <[hidden email]> wrote:
Hi,

I have to use Google, Facebook or any third party Identiy provider just to authenticate users and giving access to my APIs by generating access token in my WSO2. I know Identity server support it but because of resource constraints I want this to be achieved through only WSO2 API Manager. Is there any work around also please suggest me.

Thank You,
Shiva Kumar

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : <a href="tel:+94%2077%20518%201586" value="+94775181586" target="_blank">+94 775181586





--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev