apis for api management: consume and develop apps

APIs for API Management: Consume and Develop Apps

Lakmali BaminiwattaSenior Software Engineer

Tharindu DharmarathnaAssociate Software Engineer

● Introduction● Publisher REST API● Store REST API● Access Control and Security● Consume APIs and Develop APPs

■ Register Apps and Obtain Consumer Key/Secret■ OAuth Scopes■ Generate Access Token■ Invoke APIs

● Demo● Q & A

● WSO2 APIM 1.10.0 is released with a new REST API for API Management.

o Follows RESTFul Principleso Swagger API Definitiono Secured with OAutho Current version : v0.9

● Apps can be developed for API Management by consuming the REST API.

● RESTFul API for Publisher Operations

● Apps can be developed for API Publisher functionality by consuming the APIs

■ API for APIs , API for Tiers, API for Subscriptions, etc

● API Definition is documented with Swagger 2.0■ https://docs.wso2.com/display/AM1100/apidocs/publisher/

● RESTFul API for Store Operations

● Apps can be developed for API Explore/Consume functionality by consuming the APIs

■ Subscriptions API, APIs API, Tags Collection API, Tiers Collection API, etc

● API Definition is documented with Swagger 2.0■ https://docs.wso2.com/display/AM1100/apidocs/store/

● By default REST API is secured with OAuth 2.0■ Resources are protected with OAuth Scopes

● Pluggable security mechanism■ ex: XACML over Basic Authentication

1. Register the Application and obtain Consumer Key/Secret

● Dynamic Client Registration (DCR)● Create Service Providers

2. Store Consumer Key/Secret in the Application

3. Generate Token for required scopes● Prefered OAuth Grant type can be used

4. Invoke APIs with Access Token

● Dynamic Client Registration (DCR)■ DCR OAuth 2.0 Profile

● Endpoint for on-the-fly client registration

● Example : Different installations of an App can get different client ID/secret pairs at the installation.

■ WSO2 APIM exposes a DCR endpoint secured with Basic Authentication

{ "callBackURL": "https://localhost:9443/restapp", "jsonString":"{..}" //app details, "clientId": "HfEl1jJPdg5tbtrxhAwybN05QGoa", "clientSecret": "l6c0aoLcWR3fwezHhc7XoGOht5Aa"}

POST /client-registration/v0.9/registerAuthorization:Basic <Base64EncodedUserName:Pwd>

{ "callbackUrl": "https://localhost:9443/restapp", "clientName": "rest_api_store", "tokenScope": "Production", "owner": "admin", "grantType": "password refresh_token", "saasApp": true }

DC

R E

ndpo

int

1. Register Application

2. Respond with Client ID/Secret

● Create Service Provider■ Create a service provider and register the application as an

OAuth 2.0 application■ Specify App URL as the callback URL■ Specify allowed grant types for token generation

● API resources are protected by OAuth Scopes● Enable access control for resources by role

■ Scope to role mapping is stored in the registry (_system/config/apimgt/applicationdata/tenant-conf.json)

● API Definition shows required scopes to access an API resource

■ Ex:

● Need to obtain an Access token with required scopes

Resource Scope

POST /api apim:api_create

GET /api apim:api_view

● Decide suitable grant type for your App● Generate Access Token with selected grant type

○ Ex:■ Authorization Code Grant Type https://docs.wso2.

com/display/AM1100/Generating+Access+Tokens+with+Authorization+Code+-+Authorization+Code+Grant+Type

■ Password Code Grant Typecurl -k -d "grant_type=password&username=appuser&password=12@ws&scope=apim:api_view" -H "Authorization: Basic SGZFbDFqSlBkZzV0YnRyeGhBd3liTjA1UUdvYTpsNmMwYW9MY1dSM2Z3ZXpIaGM3WG9HT2h0NUFh" https://127.0.0.1:8243/token

● APIs can be invoked using the obtained access token ■ Ex: Retrieving APIs

curl -H "Authorization: Bearer <Access Token>" http://127.0.0.1:

9763/api/am/store/v0.9/apis

Authorization Server

2. Authorization Request sent to Authorization Server

App1. Login Request

3. Authorization Code received

4. Token Generation Request

3. Access Token received

User Agent

o Develop a sample app by consuming Store REST API