如何使用WSO2 API Manager实现OAuth2授权
[英]How to implement OAuth2 authorization with WSO2 API Manager
问题描述
I have created and published API with WSO2 API Manager. 
我使用WSO2 API Manager创建并发布了API。 API client get access through OAuth2 and client credentials grant, sending consumer key and consumer secret to request access token. API客户端通过OAuth2和客户端凭据授予访问权限,发送使用者密钥和使用者密钥以请求访问令牌。 But now I need to implement authorization by means of authorization code grant. 但现在我需要通过授权代码授权来实现授权。 I have to use client_id and client_secret of WSO2 APIM and user login form of my backend application, not WSO2 APIM user. 我必须使用WSO2 APIM的client_id和client_secret以及我的后端应用程序的用户登录表单,而不是WSO2 APIM用户。
Can anybody tell if it is possible and how it can be implemented??? 任何人都可以告诉它是否可能以及如何实施???
Documentation of WSO2 does not describe this flow and all examples I have found describe authorization process (OAuth2, authorization_code) only for user of WSO2 APIM. WSO2的文档没有描述这个流程,我发现的所有示例都只描述了WSO2 APIM用户的授权过程(OAuth2,authorization_code)。
2 个解决方案
解决方案1
0 2018-07-09 20:55:50
now I need to implement authorization by means of authorization code grant.
If you want to use your own (application) authentication form, the simplest option is to leverage the password grant type where your application sends the token request along application and user credentials through a backend service 如果要使用自己的(应用程序)身份验证表单,最简单的选项是利用密码授予类型 ,其中应用程序通过后端服务沿应用程序和用户凭据发送令牌请求
Using a code grant you suppose to use an authorization endpoint https://gateway:8243/authorize with parameters described in the documentation and indeed the default login form is used when the user is not yet authenticated 使用代码授权,您可以使用授权端点https:// gateway:8243 / authorize和文档中描述的参数,实际上当用户尚未通过身份验证时使用默认登录表单
(I still have an urge to downvote the question for not searching the documentation) (我仍然迫切希望不要搜索文档的问题)
If you still want to use the code grant type with your own authentication form, you may either customize the default logon form of the wso2 api gateway or customize an authenticator to use form of your application (this is quite advanced topic requiring configuring your own implementation and out of scope of the question/answer) 如果您仍希望将代码授予类型与您自己的身份验证表单一起使用,则可以自定义wso2 api网关的默认登录表单,也可以自定义身份验证器以使用您的应用程序表单(这是非常高级的主题,需要配置您自己的实现超出问题/答案的范围)
解决方案2
0 2018-07-10 16:13:33
You have 2 options here without any customizations. 这里有2个选项,没有任何自定义。
1) If your backend has a userstore, it can be configured as a secondary userstore for APIM. 1)如果您的后端有用户名,则可以将其配置为APIM的辅助用户。 Then you can use any user in that userstore for authentication. 然后,您可以使用该用户组中的任何用户进行身份验证。
See https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores 请参阅https://docs.wso2.com/display/ADMIN44x/Configuring+Secondary+User+Stores
2) If above option is not possible, and if your backend IDP supports any federation SSO protocols such as SAML2 or OIDC, you can configure federation using WSO2 IS. 2)如果无法使用上述选项,并且您的后端IDP支持任何联合SSO协议(如SAML2或OIDC),则可以使用WSO2 IS配置联合。
See https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation 请参阅https://docs.wso2.com/display/IS550/Single+Sign-On+and+Identity+Federation
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.