2. Use Cases
• How to pass authentication information to
back-end services ?
• How to enrich request/response flows ?
• How to react in real-time to API events
patterns?
• How to extend the authorization of users
leveraging WSO2 Identity Server ?
3. Passing Auth Information to back-end
services
• Using JSON Web
Tokens (JWT)
‣ Lightweight
‣ Can be signed
‣ Easy to parse and
consume
‣ Standard
5. What are Claims ?
• Claims are a set of attributes
about a user, mapped to the
underlying user store.
• A set of claims is called a
dialect
• Default dialect is:
http://wso2.org/claims.
6. Managing Claims
• Default behavior is that all non-null claims will be added
to the JWT.
"http://wso2.org/claims/emailaddress":"isabelle@wso2.com",
"http://wso2.org/claims/fullname":"Isabelle Mauny",
"http://wso2.org/claims/givenname":"Isabelle",
"http://wso2.org/claims/lastname":"Mauny",
"http://wso2.org/claims/primaryChallengeQuestion":"Product Manager",
"http://wso2.org/claims/role":"apisubscribers,Internal/identity,Internal/everyone",
"http://wso2.org/claims/title":"Product Manager"}
• If you want to override this behavior, you need to
create your own ClaimsRetrieverClass.
• You can also use another dialect
‣ Reuse existing
‣ Create your own
7. JWT Basic Configuration
• Part of <APIConsumerAuthentication> node
• Following settings must be set/uncommented in the api-manager.xml file:
‣ <EnableTokenGeneration>true</EnableTokenGeneration>
‣ Token Header name
<SecurityContextHeader>
X-JWT-Assertion
</SecurityContextHeader>
‣ Signature Algorithm
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
‣ Claims Management
<ClaimsRetrieverImplClass>
org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever
</ClaimsRetrieverImplClass>
‣ Claims Dialect
<ConsumerDialectURI>
http://wso2.org/claims
</ConsumerDialectURI>
8. Enriching API Gateway Flows
• Available as of version 1.5 (in the UI)
• Allows you to use the full power of the
mediation engine (from WSO2 ESB) in the
API Gateway
13. Extending Authorization
• Leverage Entitlements (XACML) of the
underlying WSO2 Identity Server
• Can Install Entitlements Features inside
APIM 1.5 or use external Identity Server
16. Additional Features (1.5)
• Publish to Sandbox only
• Use separate gateways for production and
sandbox calls
‣ Lets you scale them separately
• Allow an API to be advertised into multiple
stores.