Professional Documents
Culture Documents
0 26/11/21 16:06
A secured endpoint is when you have access-protected resources. WSO2 API Manager
supports Basic Authentication, Digest Authentication, and OAuth 2.0. They differ on
how the credentials are communicated and how access is granted by the backend
server.
OAuth 2.0 is the industry-standard delegation protocol for authorization and focuses on
client developer simplicity while providing speciHc authorization Iows for applications.
In other words, OAuth 2.0 enables an application to obtain limited access to an HTTP
service, without actually revealing a resource owner's long-term credentials or identity.
OAuth brings in a separate authorization layer in order to separate the role of the client
from that of the resource owner. In order to gain access to a protected resource, the
client should obtain a set of properties including an access token, its lifetime, and
scope instead of credentials of the resource owner, from the backend server.
1. Client Credentials
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 1 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
Follow the instructions below to use OAuth 2.0 as the endpoint authorization type when
using a secured endpoint and allow WSO2 API Manager to communicate with the
backend to retrieve access tokens on behalf of the API.
2. Click the Endpoint Security symbol that corresponds to the endpoint that you want
to secure with OAuth 2.0.
[https://apim.docs.wso2.com/en/4.0.0/assets/img/learn/endpoint-security-
symbol.png]
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 2 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
[https://apim.docs.wso2.com/en/4.0.0/assets/img/learn/oauth-2-dropdown.png]
4. Select the preferred grant-type from the next drop-down menu and enter the
required properties.
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 3 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
Token URL This is the URL for the token endpoint of the OAuth-protected backend
server.
Client A unique key that must be known only to the application and the backend
Secret server.
b. Provide the following properties with regard to the Resource Owner Password in
addition to the properties that you entered as the Client Credentials grant-type:
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 4 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
[https://apim.docs.wso2.com/en/4.0.0/assets/img/learn/resource-owner-
password-conHg.png]
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 5 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
[https://apim.docs.wso2.com/en/4.0.0/assets/img/learn/oauth-2-add-
parameter.png]
\. Click Submit to conHrm the details of the respective endpoint, and then click Save
and deploy in the Endpoints page to save all the changes.
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 6 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
[https://apim.docs.wso2.com/en/4.0.0/assets/img/learn/oauth-2-submit-
button.png]
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 7 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
[https://apim.docs.wso2.com/en/4.0.0/assets/img/design/endpoints/endpoint-
security/endpoints-save-button.png]
! Info
The Endpoint Auth Type selected should match with the authentication mechanism supported by
the secured endpoint.
OAuth 2.0 Endpoint Security in WSO2 API Manager allows you to use a remote Redis
Server as a cache to store access tokens and other relevant properties instead of the
default in-memory cache. This step is highly-recommended when your WSO2 API
Manager deployment includes multiple API Gateways, in order to allow the sharing of
access tokens and other relevant properties between API Gateways and prevent the
irregular syncing of access tokens.
Follow the instructions below to point WSO2 API Manager to a remote Redis Server
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 8 of 9
Secure Endpoint with OAuth 2.0 - WSO2 API Manager Documentation 4.0.0 26/11/21 16:06
that you can use as a Cache for OAuth 2.0 Endpoint Security token management:
If you are using an unauthenticated Redis server, you should add the following
conHguration to the <API-M_HOME>/repository/conf/deployment.toml Hle.
Format Example
[redis_config]
host = {redis-server-hostname}
port = {redis-server-port}
If you are using an authenticated Redis server, you should add the following
conHguration to the <API-M_HOME>/repository/conf/deployment.toml Hle.
Format Example
[redis_config]
host = {redis-server-hostname}
port = {redis-server-port}
user = {redis-server-username}
password = {redis-server-password}
database_id = {redis-server-database-id}
connection_timeout = {redis-server-connection-timeout-in-seconds}
ssl = {redis-server-is-ssl-enabled}
https://apim.docs.wso2.com/en/latest/design/endpoints/endpoint-security/oauth-2.0/ Page 9 of 9