We use WSO2 AM based on the Docker image wso2/wso2am:4.1.0. Creating, publishing and subscribing to APIs works fine out of the box.
Task:
We want to integrate with an external OAuth provider. Our SPA handles the login and eventually retrieves the access token from the external OAuth provider. Instead of generating our own tokens, we want to use the already issued token(s) of the external OAuth provider, to enable access on a specific API in WSO2 AM. Apart from validating the JWT (exp and signature), there are no additional requirements.
Approach so far:
Without any modifications we receive the following logs and responses while accessing and API with an unknown JWT, as expected:
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials
{
"code": "900901",
"message": "Invalid Credentials",
"description": "Access failure for API: /test/v1, version: v1 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials"
}
After following the documenation at JWT Access Tokens - WSO2 API Manager Documentation 4.1.0 we obviously managed to basically validate the external token. Log message and response did change to:
WARN - APIAuthenticationHandler API authentication failure due to Resource forbidden
{
"code": "900908",
"message": "Resource forbidden ",
"description": "Resource forbidden "
}
Unfortunately the documentation ends here, or I'm not able to find the proper follow up steps. We probably need to create an Application, tie it to the external OAuth provider and subscribe to the API.
I tried to create a new Application in the DeveloperPortal, but apart from configuring the local OAuth2 settings, there are no available options to use an external OAuth provider. I also tried to create a new Service Provider as described in Provisioning Out-of-Band OAuth Clients - WSO2 API Manager Documentation 4.1.0, which at least gave me the option to configure it in an Application in the DeveloperPortal. But apart from the JWKS settings in the Service Provider, I was not able to find any hints on how to tie it to the external OAuth provider.
Any help is appreciated!
Resource forbidden error comes when there is no valid subscription to the API. How subscription validation happens in the APIM is, after validating the token, it uses the client id value in the JWT to find the mapped dev portal application. Then it checks whether there is a valid subscription to the API using that application. In this case, this step is failing due to missing a valid subscription. We probably have to revisit this section and modify the content.
Instead of using this method, I would suggest exchanging your external JWT with JWT recognized by APIM using the JWT bearer grant type. This is a blog post I have written on doing this using an external JWT. Also, the official document has an example using WSO2 IS (see this).