Securing backend with WSO2 Identity Server and WSO2 API Manager

Question

I have an API that is exposed through WSO2 API Manager, it is secured by OAuth2 so client must pass an apikey , token or credentials in order to get access to resources. So far so good. But now, I'd like to protect backend's endpoint as well. Backend only accepts calls from API Manager (IP security) but it is open, I mean, if someone with access to APIM's host does the call, it will accept since there is no authentication between them.

I would like to use Identity Server to protect backend but according to APIM documentation , supported endpoint security are BASIC or DIGEST.

What is the best approach to implement BASIC/Digest auth in SpringBoot backend and use WSO2 Identity Server as user registry? This way I can centralize every security details to a single solution.

Thanks in advance.

Answer 1

If you use basic auth or any such, your back end might have to do another API call to WSO2 to validate that token. Instead, you can pass a self contained JWT token from the API manager to the backend. So that the back end can validate that the JWT is issued by the API manager it self using using the certificate without relying on anything else.

From this way you can verify if the call was made y API Manager, additionally the end user as well from the JWT content.

Doc: https://apim.docs.wso2.com/en/latest/learn/api-gateway/passing-end-user-attributes-to-the-backend/passing-enduser-attributes-to-the-backend-using-jwt/?fbclid=IwAR1JT9DLOclmA-xw0Ev9C2Xrje5EDGrDBnmMkfDKMcbxTlCLf0swSPucMfA