In this community call, we will discuss extending WSO2 API Manager's key management capabilities including:
- An overview of key manager connectors in WSO2 API Manager
- Implementing a custom key manager connector
- GUI features of the connectors for easier configuration
- Event-based token revocation
Resources:
- https://github.com/wso2-extensions/apim-km-auth0
Sign up to get notified of future calls: https://bit.ly/373f4ae
WSO2 API Manager Community Channels:
- Slack: https://apim-slack.wso2.com
- Twitter: https://twitter.com/wso2apimanager
4. ● Recap
● An overview of key manager connectors in WSO2 API
Manager
● Implementing a custom key manager connector
● GUI features of the connectors for easier configuration
● Event-based token revocation
● Q&A
Agenda
4
6. Quick Recap
● Key manager as a component
● Operations of Key Manager
⦿ Token generation/ revocation
⦿ Authentication and authorization
⦿ Federation and more...
● How Key Manager is evolved
⦿ Before AM 1.9.0 : Tightly coupled Key Manager
⦿ AM 1.9 - 3.1.0 : Key Manager extensions
⦿ From 3.2.0 : Connectors and pure 3rd party key managers
Watch API Key Manager (Community Call #10) @ API Life on YouTube
6
7. An Overview of Key Manager Connectors
in WSO2 API Manager
8. Why 3rd Party Key Managers and Why We Need a Connector?
We have to use a 3rd party Key Manager because
● Organization/ Client already has a key management solution in place
● Organizational policies
We need a connector because, key managers
● Can have different set of configurations
● Support different functionalities
● Use different API endpoints, etc.
8
12. Advantages of a Key Manager Connector
● Easily deployable
● Configure multiple Key Managers at the same time
● Configurable per API
● No file-based configurations
12
13. Available Key Manager Connectors
● WSO2 Identity Server
● Okta
● Key Cloak
● Ping
● Auth0
13
15. How a Key Manager Connector is Implemented
● Carbon feature project (OSGI bundle)
● Uses Key Manager’s public APIs
● Extends AbstractKeyManager class
⦿ Overrides common key manager functions
⦾ Creating applications
⦾ Generating tokens, etc.
● Implements KeyManagerConnectorConfiguration
⦿ Defines Key Manager specific configuration options
⦾ Required admin credentials
⦾ Application related configuration
15
16. Project Structure
● Component
⦿ The implementation of the connector
(source code)
● Feature
⦿ Builds the component zip file with all the
required resources
More info: How to write a WSO2 Carbon
Component
16
17. Auth0OAuthClient.java
● Extends the AbstractKeyManager class
● Overrides required methods
Method Description
loadConfiguration() Loads the key manager configuration and initializes
the key manager client
createApplication() Creates oauth application in key manager
getNewApplicationAccessToken() Generates access token
getTokenMetaData() Validates and gets token information
17
18. Auth0ConnectorConfiguration.java
● Implements the KeyManagerConnectorConfiguration class
● Service component of the connector
● Used to define key manager specific configuration parameters
● Dynamically generates the UI
Method Description
getConnectionConfigurations() Returns the key manager’s connection related
configuration, i.e credentials, token endpoint.
getApplicationConfigurations() Creates oauth application in key manager
getType() Returns the key manager type
getDisplayName() Returns the key manager’s configured display name
18
19. Build and Deploy
● Build the project with maven
mvn clean install
● Copy
{PROJECT_HOME}/components/<package-name>/target/{CONNECTOR_NAME}-{Versio
n}.jar file into {API-M_HOME}/repository/components/dropins directory
● Start WSO2 API Manager server
./wso2server.sh or wso2server.bat
19
21. GUI Features of a Key Manager Connector
● Use the WSO2 API Manager admin portal to add a Key Manager
● UI based, dynamic configuration generation for KM specific configs
⦿ Connection and application configuration
● API and application level Key Manager configuration
⦿ Select which key manager should be used with an API
⦿ Configure key manager specific application parameters
21
22. Dynamic Configuration Generation - Admin Portal
Admin Portal > Key Managers > Add New Key Manager > Auth0
Configuration related to Key
Manager APIs
22
23. Dynamic Configuration Generation - Developer Portal
Developer Portal > Application > Oauth2 Tokens
Configuration related to applications
created in the Key Manager
23
25. Event-based Token Revocation
● Gateway caches need to be invalidated and revoked token information should
be persisted upon revocation
● When Key Manager is externalized, there should be a system to notify the
gateways
● Key Manager should send the revoked token information (WSO2 Identity Server
- Revocation Event, Okta: Event Hooks)
● Depends on different Key Managers
● Currently implemented for WSO2 Identity Server
25
26. Event-based Token Revocation - Message Flow
● User invokes the revoke endpoint with the token to be revoked
● Key Manager invokes the /internal/data/v1/notify endpoint of Traffic Manager
with revoked token information
● Traffic Manager processes the revoke token information, persists the revoked
token signature in DB
● Traffic Manager generates the token revocation event and sends to the gateway
via JMS
● Gateway invalidates the token caches relevant to the revoked token
● The revoked token jti is added in to the revoked token map in Gateway
26
28. More Info
● API Key Manager (Community Call #10) @API Life
https://www.youtube.com/watch?v=a37MHagB8So&list=PLC7QzKjxCjo2GBxV
c0Rr0LXyNryZVwAts&index=9
● Securing APIs with WSO2 API Manager and Okta, WSO2 Webinar
https://www.youtube.com/watch?v=z9mXnC-0clo
28
30. 30
Next Session
● Thursday, February 18, 2021
● Click on the community call page link to get notified of the next call or submit
your topic suggestions
⦿ Page - https://wso2.com/community/api-management/#CommunityCall
● You can join our ongoing conversations on WSO2 API Manager using the following
channels
⦿ Slack invite - apim-slack.wso2.com
⦿ Twitter - @wso2apimanager
⦿ Email - dev@wso2.org
● You can find out more about our product by visiting
⦿ YouTube - bit.do/wso2apimanager
⦿ Website - WSO2
30