I'm working on my master where I have to design and prove a solution to expose some university legacy services. None of them have controlled access, so other feature needed is this security layer. To make this possible I'm using wso2 products: wso2ebs to make some orchestration and messaging transformation; wso2is to connect to a shibboleth idp that already exists; and wso2am to put everything together and expose the services.
I already have the identity provider (Shibboleth) configured on wso2is. I use this http://xacmlinfo.org/2014/12/10/federation-testshib/ to prove it. To make the authentication layer, I'm not sure but I think that I can use this http://wso2.com/library/articles/2015/03/bring-your-social-identity-to-perform-organizational-authorization-actions-with-wso2-identity-server/ to make the bond between wso2is and wso2am.
But there is a use case I can't solve: wso2am give me an oauth like environment to expose my private services, but how can a student (end user) manage is authorisations? I as a student which use a mobile app that consume information given by an api exposed by wso2am, want to revoke this this authorisations given previously to this mobile app. How can I do this?
TLDR: If wso2am use an oauth like environment to expose apis, is there a way to the end user revoke an authorisation given previously to an mobile app that make use of an api exposed by wso2apim?
There are two options
If you have client_id, Secret and access token on your hand you can use https://docs.wso2.com/display/AM190/Token+API revoking access tokens part
If not you can use revokeAuthzForAppsByResoureOwner operation in OAuthAdminService