[UPDATE] Besides LDAP and web-service authentication, API Cloud now supports authentication via external Identity Provider (IdP) and WSO2 Integration Cloud. See the documentation for details: Authenticate External Users for API Invocation.
Quite often APIs need to be invoked on behalf of particular end-users. For example, a typical mobile application would ask the user to authenticate and then serve the data depending on who that user is.
These end-user identities are different from the engineers who publish the API (Publishers) and the ones who subscribe to the API to develop the application invoking it (Subscribers, developers.) Let's look into how WSO2 API Cloud supports that scenario:
Here are the technical details on making this work:
Application backends typically already have some sort of LDAP store or database that stores the end-user credentials. There are two ways you can get it connected to the cloud gateway:
If you are using the web-service option, it needs to expect a POST invocation with the following JSON payload:
{ "credentials": { "username": "userx", "password": "mypass" } }
If the enduser record is valid, the web-service should respond with the following JSON:
{ "response": { "status": "true" } }
Notes:
Token API of the cloud gateway is documented here.
For a particular application, you can easily get the right call generated for you right in API Cloud's Developer Portal (API Store), by going to the My Subscriptions tab, clicking the cURL dropdown, and selecting GrantType: Password:
Note:
userx
and your organization name in WSO2 is my_company
, then instead of <USER> in the screenshot above you would pass userx@my_company
.The final step in the scenario, is decoding user identity information in your backend code. This is passed with each call in the form of JWT token.
Here is the sample JWT token. The enduser identity is passed in the "https://wso2.org/claims/enduser" property:
{ "typ":"JWT", "alg":"NONE" }{ "iss":"wso2.org/products/am", "exp":1345183492181, "https://wso2.org/claims/subscriber":"user.email.com@org", "https://wso2.org/claims/applicationname":"app2", "https://wso2.org/claims/apicontext":"/placeFinder", "https://wso2.org/claims/version":"1.0.0", "https://wso2.org/claims/tier":"Silver", "https://wso2.org/claims/enduser":"jane" }
On the Configure menu, click External Users, and then select the options you need on the API Consumer Authentication tab. See Authenticate External Users for API Invocation for details.