问题
I am using WSO2 APIM (2.5.0) and IS (5.6.0). They both are integrated and working well.
Now, if I onboard an third party API in API Management and using oauth token I can be able to access it. But question is how to handle any external or third party APIs which has its own authentication.
SO basically, using WSO2 APIM token I can be able to access the onboarded API to use but we will not be able to get any response as the onboarded API has its own authentication (basic or oauth).
How to achieve this in APIM.
Any help or guidance will be helpful.
EDIT: Here is the sequence I am using (Thanks Bee for the guidance)
<sequence xmlns="http://ws.apache.org/ns/synapse" name="backend-token-sequence">
<property name="inputmessage" expression="get-property('registry', 'gov:/Login/msg/inputmessage.json')" scope="default" type="STRING"/>
<script language="js">
var payload = mc.getProperty("inputmessage");
mc.setPayloadJSON(payload)
</script>
<header name="Content-Type" scope="transport" value="application/json"/>
<property name="messageType" value="application/json" scope="axis2" type="STRING" description="messageType"/>
<property name="temp" expression="$axis2:REST_URL_POSTFIX"/>
<property name="REST_URL_POSTFIX" action="remove" scope="axis2"/>
<property name="DISABLE_CHUNKING" value="true" scope="axis2" type="STRING"/>
<call blocking="true">
<endpoint>
<http uri-template="https://xx.com/auth/login" method="POST" />
</endpoint>
</call>
<property name="x-access-token" scope="transport" expression="json-eval($.token)"/>
<property name="REST_URL_POSTFIX" scope="axis2" expression="$ctx:temp"/>
</sequence>
This is the inflow sequence which is being used to one of API. I am calling API using APIM URL with GET Method, passing APIM bearer token
Thanks
回答1:
WSO2 APIM out of the box supports basic auth and digest auth as backend security schemas.
In addition to that, using custom sequences you can pass any kind of security token to the backend.
For backends with OAuth, you have 2 options.
(1) Send backend token as well in the API request (inbound to APIM) and then forward it to the backend.
(2) Use a custom sequence to call the external token API and take a new token for the backend and then forward it to the backend.
<property name="temp" expression="$axis2:REST_URL_POSTFIX"/>
<property name="REST_URL_POSTFIX" action="remove" scope="axis2"/>
<call blocking="true">
<endpoint>
<http uri-template="https://external_idp.com/token" method="GET" />
</endpoint>
</call>
<property name="BackendAuthHeader" scope="transport" expression="json-eval($.tokenresponse.token)"/>
<property name="REST_URL_POSTFIX" scope="axis2" expression="$ctx:temp"/>
I recommend (1) due to its simplicity.
Edit: More about option (1):
If your backend expects a header something other than "Authorization" header you can simply send that header with your requests and it will be sent to the backend.
However, if your backend also expects the "Authorization" header, then it becomes a conflict as you can't use the same header to pass 2 tokens (1 for GW and 1 for backend). To solve that problem, you can use the custom authorization header for gateway feature.
来源:https://stackoverflow.com/questions/55955337/how-the-external-authentication-handled-in-wso2-apim-for-an-external-third-party