Friday, June 6, 2014

Twitter Authenticator for WSO2 Identity Server 5.0.0

If you have already used http://wso2.com/products/identity-server/ you knows that it allows us to use custom authenticators. Also it comes with several authenticators which are built in. For a example Facebook, Google, OpenID, SAML are such authenticators. Here in my application there was requirement to authenticate users via Twitter. Thus I used the capability of WSO2 Identity Server which is configured to provide SAML login to my application. In the SAML SSO scenario my users can choose Twitter as there authentication option. To do that I had to write my own authenticator.


To understand the authtication logic form Twitter API side you need to look at,

https://dev.twitter.com/docs/browser-sign-flow
https://dev.twitter.com/docs/auth/implementing-sign-twitter

Also to do these in Java there is a solid library called twitter4j. You need to look at Code Examples of Sign in with Twitter.

At the point which I did this, there were no documentation provided to do this.Using the knowledge I gathered in my internship @ WSO2 and after getting some ideas from experts, I was able to write my authenticator. I had looked at the WSO2 Identity Server code base to see how other authenticators are written.

I will start with the structure of a authenticator pom.xml. Authenticators are OSGi bundles. So the pom.xml looks like this and you can find the dependencies for the project. Other than the twitter4j dependency other dependencies are mandatory.
<?xml version="1.0" encoding="utf-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <groupId>org.emojot</groupId>
    <modelVersion>4.0.0</modelVersion>
    <artifactId>authenticator-twitter</artifactId>
    <packaging>bundle</packaging>
    <version>1.0.0</version>

    <dependencies>

        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.logging</artifactId>
            <version>4.2.0</version>
        </dependency>

        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
            <version>4.2.2</version>
        </dependency>

        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.ui</artifactId>
            <version>4.2.0</version>
        </dependency>

        <dependency>
            <groupId>org.apache.amber.wso2</groupId>
            <artifactId>amber</artifactId>
            <version>0.22.1358727.wso2v4</version>
        </dependency>

        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.identity.application.common</artifactId>
            <version>4.2.0</version>
        </dependency>

        <dependency>
            <groupId>org.twitter4j</groupId>
            <artifactId>twitter4j-core</artifactId>
            <version>[4.0,)</version>
        </dependency>
    </dependencies>

    <repositories>
        <repository>
            <id>wso2-nexus</id>
            <name>WSO2 Internal Repository</name>
            <url>http://maven.wso2.org/nexus/content/groups/wso2-public/</url>
            <releases>
                <enabled>true</enabled>
                <updatePolicy>daily</updatePolicy>
                <checksumPolicy>ignore</checksumPolicy>
            </releases>
        </repository>
        <repository>
            <id>twitter4j.org</id>
            <name>twitter4j.org Repository</name>
            <url>http://twitter4j.org/maven2</url>
            <releases>
                <enabled>true</enabled>
            </releases>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
    </repositories>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.felix</groupId>
                <artifactId>maven-scr-plugin</artifactId>
                <version>1.7.4</version>
                <executions>
                    <execution>
                        <id>generate-scr-scrdescriptor</id>
                        <goals>
                            <goal>scr</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.apache.felix</groupId>
                <artifactId>maven-bundle-plugin</artifactId>
                <extensions>true</extensions>
                <configuration>
                    <instructions>
                        <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
                        <Bundle-Name>${project.artifactId}</Bundle-Name>
                        <Private-Package>org.emojot.authenticator.twitter.internal</Private-Package>
                        <Import-Package>org.twitter4j.*;
                            version="[4.0,)",
                            org.apache.axis2.*;
                            version="[1.6.1.wso2v1, 1.7.0)",
                            org.apache.axiom.*;
                            version="[1.2.11.wso2v2, 1.3.0)",
                            org.wso2.carbon.ui.*,
                            org.apache.commons.logging.*; version="1.0.4",
                            org.osgi.framework,
                            org.wso2.carbon.identity.application.authentication.framework.*,
                            javax.servlet;version="[2.6.0,3.0.0)",
                            javax.servlet.http;version="[2.6.0,3.0.0)",
                            *;resolution:=optional
                        </Import-Package>
                        <Export-Package>!org.emojot.authenticator.twitter.internal,
                            org.emojot.authenticator.twitter.*
                        </Export-Package>
                        <DynamicImport-Package>*</DynamicImport-Package>
                    </instructions>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>
Since your project is a OSGi bundle you need add this class to define bundle activate method and deactivate method.
package org.emojot.authenticator.twitter.internal;

import java.util.Hashtable;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator;
import org.emojot.authenticator.twitter.TwitterAuthenticator;

/**
 * @scr.component name="authenticator.twitter" immediate="true"
 */

public class TwitterAuthenticatorServiceComponent {

    private static final Log LOGGER = LogFactory.getLog(TwitterAuthenticatorServiceComponent.class);

    protected void activate(ComponentContext ctxt) {
        try {
            TwitterAuthenticator twitterAuthenticator = new TwitterAuthenticator();
            Hashtable<String, String> props = new Hashtable<String, String>()
            ctxt.getBundleContext().registerService(ApplicationAuthenticator.class.getName(),twitterAuthenticator, props); 

            LOGGER.info("----Twitter Authenticator bundle is activated----");

        } catch (Throwable e) {
            LOGGER.fatal("----Error while activating Twitter authenticator----", e);
        }
    }

    protected void deactivate(ComponentContext ctxt) {
        LOGGER.info("----Twitter Authenticator bundle is deactivated----");
    }
}
After adding these to you project you are in a position to write your authenticator. Authenticators are defined by extending AbstractApplicationAuthenticator class and implementing    FederatedApplicationAuthenticator interface. The important methods in these two are,
  • public String getName()
  • public String getFriendlyName()
  • public String getContextIdentifier(HttpServletRequest request) - Returns a uniquer identifier which will map the authentication request and the response. The value return by the invocation of authentication request and the response should be the same.
  • public boolean canHandle(HttpServletRequest request) - Tells whether this authenticator can handle the authentication response.
  • protected void initiateAuthenticationRequest(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context) 
  • protected void processAuthenticationResponse(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context)
I have implemented the canHandle() method like this. When Twitter sends the OAuth response it will sends parameters oauth_token,oauth_verifier in the request. Than is a notification to identify that this response can be handled by the authenticator.

    public boolean canHandle(HttpServletRequest request) {
        if (request.getParameter("oauth_token")!=null && request.getParameter("oauth_verifier")!=null) {
            return true;
        }
        return false;
    }

For each authentication request which comes to IS, there is unique value comes as a parameter. That is sessionDataKey. I stored that in the Twitter authentication redirection session to facilitate the requirement of  getContextIdentifier gives same value for authentication request and its response.

    public String getContextIdentifier(HttpServletRequest request) {
        if(request.getSession().getAttribute("contextIdentifier")==null){ 
            request.getSession().setAttribute("contextIdentifier",request.getParameter("sessionDataKey"));
            return request.getParameter("sessionDataKey");
        }else{
            return (String) request.getSession().getAttribute("contextIdentifier");
        }
    } 

I have implemented the initiateAuthenticationRequest method and processAuthenticationResponse method as follows,
     protected void initiateAuthenticationRequest(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException {       

        String apiKey= resourceBundle.getString("API_Key");
        String apiSecret= resourceBundle.getString("API_Secret");

        Twitter twitter = new TwitterFactory().getInstance();
        twitter.setOAuthConsumer(apiKey, apiSecret);
       
        try {
            String callbackURL = resourceBundle.getString("Call_Back_URL");
            RequestToken requestToken = twitter.getOAuthRequestToken(callbackURL.toString());
            request.getSession().setAttribute("requestToken",requestToken);
            request.getSession().setAttribute("twitter",twitter);
            response.sendRedirect(requestToken.getAuthenticationURL());

        } catch (TwitterException e) {
            LOGGER.error("Exception while sending to the Twitter login page.", e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        } catch (IOException e) {
            LOGGER.error("Exception while sending to the Twitter login page.", e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
        return;
    }

    protected void processAuthenticationResponse(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException {
        Twitter twitter = (Twitter) request.getSession().getAttribute("twitter");
        RequestToken requestToken = (RequestToken) request.getSession().getAttribute("requestToken");
        String verifier = request.getParameter("oauth_verifier");
        try {
            AccessToken token=twitter.getOAuthAccessToken(requestToken, verifier);
            request.getSession().removeAttribute("requestToken");
            User user= twitter.verifyCredentials();
            buildClaims(user,context);
        } catch (TwitterException e) {
            LOGGER.error("Exception while obtaining OAuth token form Twitter", e);
            throw new AuthenticationFailedException("Exception while obtaining OAuth token form Twitter",e);
        }
    }

    public void buildClaims(User user, AuthenticationContext context) {

            context.setSubject(String.valueOf(user.getId()));
            Map<ClaimMapping, String> claims = new HashMap<ClaimMapping, String>();
            claims.put(ClaimMapping.build("name", "name", null,false), user.getName());
            claims.put(ClaimMapping.build("screen_name", "screen_name", null,false), user.getScreenName());
            claims.put(ClaimMapping.build("url", "url", null,false), user.getURL());

            context.setSubjectAttributes(claims);
    }
The buildClaims method save the retrieved user attributes to the authenticated context in IS. That is need to map the claims to built in claims of IS.

After implementing these methods you can build your bundle. After building it you have to put that in to IS_Home/repository/components/dropins folder. After restarting this you can use the Twitter authenticator in IS.

Sunday, June 1, 2014

WSO2 CEP Custom Output Event Adapter for MongoDB

WSO2 CEP uses output adapters to send event from the CEP. We can write our own adapters to support our own output formats. That process is described in https://docs.wso2.org/display/CEP310/Writing+Custom+Event+Adaptors.

I am going to share my own implementation of a Output Event Adapter which uses to store event in a MongoDB database. The code is,

package org.emojot.cep.output.adaptor.mongodb;

import com.mongodb.*;
import com.mongodb.util.JSON;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.emojot.cep.output.adaptor.mongodb.internal.util.EmojotMongoDBEventAdaptorConstants;
import org.json.JSONException;
import org.json.JSONObject;
import org.wso2.carbon.event.output.adaptor.core.AbstractOutputEventAdaptor;
import org.wso2.carbon.event.output.adaptor.core.MessageType;
import org.wso2.carbon.event.output.adaptor.core.Property;
import org.wso2.carbon.event.output.adaptor.core.config.OutputEventAdaptorConfiguration;
import org.wso2.carbon.event.output.adaptor.core.message.config.OutputEventAdaptorMessageConfiguration;

import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.ResourceBundle;

public final class EmojotMongoDBEventAdaptorType extends AbstractOutputEventAdaptor {


    private static final Log log = LogFactory.getLog(EmojotMongoDBEventAdaptorType.class);
    private ResourceBundle resourceBundle;
    private List<Property> adaptorPropertyList;
    private List<Property> outputMessagePropertyList;
    private List<String> messageTypes;


    @Override
    protected String getName() {
        return EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_TYPE_EmojotMongoDB;
    }

    @Override
    protected List<String> getSupportedOutputMessageTypes() {
        return messageTypes;
    }

    @Override
    protected void init() {
        this.resourceBundle = ResourceBundle.getBundle("org.emojot.cep.output.adaptor.mongodb.i18n.Resources", Locale.getDefault());

        adaptorPropertyList = new ArrayList<Property>();
        outputMessagePropertyList = new ArrayList<Property>();
        messageTypes = new ArrayList<String>();


        Property property1 = new Property(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD1);
        property1.setDisplayName(
                resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD1));
        property1.setRequired(true);
        property1.setHint(resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD1_HINT));
        this.adaptorPropertyList.add(property1);

        Property property2 = new Property(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD2);
        property2.setDisplayName(
                resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD2));
        property2.setRequired(true);
        property2.setHint(resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD2_HINT));
        this.adaptorPropertyList.add(property2);

        Property property3 = new Property(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD3);
        property3.setDisplayName(
                resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD3));
        property3.setRequired(true);
        property3.setHint(resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD3_HINT));
        this.adaptorPropertyList.add(property3);


        Property message_property1 = new Property(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_Message_CONF_FIELD1);
        message_property1.setDisplayName(
                resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_Message_CONF_FIELD1));
        message_property1.setRequired(true);
        message_property1.setHint(resourceBundle.getString(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_Message_CONF_FIELD1_HINT));
        this.outputMessagePropertyList.add(message_property1);

        this.messageTypes.add(MessageType.JSON);

    }

    @Override
    protected List<Property> getOutputAdaptorProperties() {
        return  this.adaptorPropertyList;
    }

    @Override
    protected List<Property> getOutputMessageProperties() {
        return  this.outputMessagePropertyList;
    }

    @Override
    public void publish(
            OutputEventAdaptorMessageConfiguration outputEventAdaptorMessageConfiguration,
            Object o, OutputEventAdaptorConfiguration outputEventAdaptorConfiguration,
            int tenantId) {


        String mongodbIPAddress=outputEventAdaptorConfiguration.getOutputProperties().get(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD1);
        String mongodbPort=outputEventAdaptorConfiguration.getOutputProperties().get(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD2);
        String mongodbDatabase=outputEventAdaptorConfiguration.getOutputProperties().get(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_CONF_FIELD3);

        String mongodbCollection=outputEventAdaptorMessageConfiguration.getOutputMessageProperties().get(EmojotMongoDBEventAdaptorConstants.EVENT_ADAPTOR_Message_CONF_FIELD1);

        log.info("Configurations -"+mongodbIPAddress+":"+mongodbPort+":"+mongodbDatabase+":"+mongodbCollection);
        log.info("Output -"+o.toString());
        log.info("Output Type-"+o.getClass().getName());

        try {
            MongoClient mongoClient = new MongoClient( mongodbIPAddress, Integer.parseInt(mongodbPort) );
            DB db = mongoClient.getDB( mongodbDatabase );
            DBCollection collection = db.getCollection(mongodbCollection);

            if("java.lang.String".equals(o.getClass().getName())) {
                JSONObject result= new JSONObject(o.toString());
                JSONObject payload=result.getJSONObject("event").getJSONObject("payloadData");

                log.info("Output JSON-"+payload.toString());

                DBObject dbObject = (DBObject)JSON.parse(payload.toString());
                collection.insert(dbObject);
            }
            else{
                log.error("Output Event is not in Correct Type");
            }

        } catch (UnknownHostException e) {
            log.error("Error Opening Connection to Mongodb Database" + e.toString());
        } catch (JSONException e) {
            log.error("Error Parsing JSON Result" + e.toString());
        }
    }

    @Override
    public void testConnection(
            OutputEventAdaptorConfiguration outputEventAdaptorConfiguration, int tenantId) {
        //To change body of implemented methods use File | Settings | File Templates.
    }
}

Solving Cross Origin Issue for APIs hosted in WSO2 API Manager

When you publish a API using WSO2 API Manager it creates this kind of API configuration in built in service bus.

<api name="admin--Example_Rest_API" context="/exampleAPI" version="1.0.0" version-type="url">
        <resource methods="POST GET DELETE OPTIONS PUT" url-mapping="/*">
            <inSequence>
                <property name="POST_TO_URI" value="true" scope="axis2"/>
                <filter source="$ctx:AM_KEY_TYPE" regex="PRODUCTION">
                    <then>
                        <send>
                            <endpoint name="admin--Emojot_Rest_API_APIproductionEndpoint_0">
                                <http uri-template="http://localhost:3000">
                                    <timeout>
                                        <duration>30000</duration>
                                        <responseAction>fault</responseAction>
                                    </timeout>
                                    <suspendOnFailure>
                                        <errorCodes>-1</errorCodes>
                                        <initialDuration>0</initialDuration>
                                        <progressionFactor>1.0</progressionFactor>
                                        <maximumDuration>0</maximumDuration>
                                    </suspendOnFailure>
                                    <markForSuspension>
                                        <errorCodes>-1</errorCodes>
                                    </markForSuspension>
                                </http>
                            </endpoint>
                        </send>
                    </then>
                    <else>
                        <sequence key="_sandbox_key_error_"/>
                    </else>
                </filter>
            </inSequence>
            <outSequence>                
                <send/>
            </outSequence>
        </resource>
        <handlers>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.APIThrottleHandler">
                <property name="id" value="A"/>
                <property name="policyKey" value="gov:/apimgt/applicationdata/tiers.xml"/>
            </handler>
            <handler class="org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageHandler"/>
            <handler class="org.wso2.carbon.apimgt.usage.publisher.APIMgtGoogleAnalyticsTrackingHandler"/>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/>
        </handlers>
    </api>

If you need to allow cross origin access to this API you can dd these properties to the out sequence of the API.

 <property name="Access-Control-Request-Headers" value="authorization,content-type" scope="transport"/>
 <property name="Access-Control-Allow-Headers" value="authorization,Access-Control-Allow-Origin,Content-Type" scope="transport"/>
 <property name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" scope="transport"/>
 <property name="Access-Control-Allow-Origin" value="IP address or wild car query(*)" scope="transport"/>

  
Also you need to set the same headers at the backend API. But the IP address should be the API Managers API address. Because its calling the API.

            

Getting User Attributes in SAML2 Bearer Assertion Profile for OAuth 2.0 using JWT Token Generation

We can configure WSO2 API Manager to send user attributes to backend API, if the internal users of API Manager consumes the API using obtained OAuth token. That process is described in https://docs.wso2.org/display/AM170/Passing+Enduser+attributes+to+the+Backend+Using+JWT. JSON Web Token(JWT) tokens are used in this.

But when users get OAuth token using SAML2 Bearer Assertion Profile for OAuth 2.0 how can we do that? What we need to do is share the user store with IS as well as API Manger. That kind of a architecture is given below.


JAVA client to SAML2 Bearer Assertion Profile for OAuth 2.0

In SAML2 Bearer Assertion Profile for OAuth 2.0 user can get a SAML token from WSO2 Identity Server by authenticating. After that user can give that SAML token to WSO2 API Manger to get an OAuth token without going for authentication.I am giving you a JAVA client to exchange SAML token to OAuth token.

import org.example.webUI.Config;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Response;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.HashMap;

public class OAuthUtil {

    public static String exchangeSAMLTokenToOauth(String responseMessage) throws ConfigurationException, ParserConfigurationException, IOException, SAXException, UnmarshallingException {

        DefaultBootstrap.bootstrap();

        byte[] decoded = Base64.decode(responseMessage);

        ByteArrayInputStream is = new ByteArrayInputStream(decoded);

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        documentBuilderFactory.setNamespaceAware(true);
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();

        Document document = docBuilder.parse(is);
        Element element = document.getDocumentElement();

        UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        XMLObject responseXmlObj = unmarshaller.unmarshall(element);

        Response responseObj = (Response) responseXmlObj;


        // Get the SAML2 Assertion part from the response
        StringWriter rspWrt = new StringWriter();
        XMLHelper.writeNode(responseObj.getAssertions().get(0).getDOM(), rspWrt);
        String requestMessage = rspWrt.toString();

        // Get the Base64 encoded string of the message
        // Then Get it prepared to send it over HTTP protocol
        String encodedRequestMessage = Base64.encodeBytes(requestMessage.getBytes(), Base64.DONT_BREAK_LINES);
        String enc_rslt = URLEncoder.encode(encodedRequestMessage, "UTF-8").trim();

        //Create connection to the Token endpoint of API manger
        URL url = new URL(Config.apiMangerOAuthURL);

        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        connection.setRequestMethod("POST");
        connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

        String userCredentials = Config.apiMangerClientID+":"+Config.apiMangerClientSecret;
        String basicAuth = "Basic " + new String(Base64.encodeBytes(userCredentials.getBytes()));
        basicAuth = basicAuth.replaceAll("\\r|\\n", "");

        // Set the consumer-key and Consumer-secret
        connection.setRequestProperty("Authorization", basicAuth);
        connection.setUseCaches(false);
        connection.setDoInput(true);
        connection.setDoOutput(true);

        //Send request
        DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
        wr.writeBytes("grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=" + enc_rslt + "&scope=PRODUCTION");
        wr.flush();
        wr.close();

        //Get Response
        InputStream iss = connection.getInputStream();
        BufferedReader rd = new BufferedReader(new InputStreamReader(iss));

        String line;
        StringBuffer responseString = new StringBuffer();
        while ((line = rd.readLine()) != null) {
            responseString.append(line);
            responseString.append('\r');
        }

        rd.close();
        return responseString.toString();
    }

    public static boolean revokeToken(Token token) throws IOException {
        //Create connection to the Token endpoint of API manger
        URL url = new URL(Config.apiMangerOAuthRevokeURL);

        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        connection.setRequestMethod("POST");
        connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");

        String userCredentials = Config.apiMangerClientID+":"+Config.apiMangerClientSecret;
        String basicAuth = "Basic " + new String(Base64.encodeBytes(userCredentials.getBytes()));
        basicAuth = basicAuth.replaceAll("\\r|\\n", "");

        // Set the consumer-key and Consumer-secret
        connection.setRequestProperty("Authorization", basicAuth);
        connection.setUseCaches(false);
        connection.setDoInput(true);
        connection.setDoOutput(true);

        //Send request
        DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
        wr.writeBytes("token="+token.getAccess_token());
        wr.flush();
        wr.close();

        //Get Response
        InputStream iss = connection.getInputStream();
        BufferedReader rd = new BufferedReader(new InputStreamReader(iss));

        String line;
        StringBuffer responseString = new StringBuffer();
        while ((line = rd.readLine()) != null) {
            responseString.append(line);
            responseString.append('\r');
        }

        rd.close();

        System.out.println("Revoking Token -"+token.getAccess_token());
        System.out.println("Revoking Response -"+responseString.toString());

        return true
                ;
    }
}

The related token class is this,

public class Token {
    private String access_token,refresh_token,expires_in,token_type;

    public Token(String access_token, String refresh_token, String expires_in, String token_type) {
        this.access_token = access_token;
        this.refresh_token = refresh_token;
        this.expires_in = expires_in;
        this.token_type = token_type;
    }

    public String getRefresh_token() {
        return refresh_token;
    }

    public void setRefresh_token(String refresh_token) {
        this.refresh_token = refresh_token;
    }

    public String getAccess_token() {
        return access_token;
    }

    public void setAccess_token(String access_token) {
        this.access_token = access_token;
    }

    public String getExpires_in() {
        return expires_in;
    }

    public void setExpires_in(String expires_in) {
        this.expires_in = expires_in;
    }

    public String getToken_type() {
        return token_type;
    }

    public void setToken_type(String token_type) {
        this.token_type = token_type;
    }
}
Hope this helped you! 

SAML2 Bearer Assertion Profile for OAuth 2.0 with WSO2 Identity Server 5.0.0 and WSO2 API Manger 1.7.0

WSO2 product stack supports SAML2 Bearer Assertion Profile for OAuth 2.0. You can find lot of details about it in https://docs.wso2.org/display/IS460/SAML2+Bearer+Assertion+Profile+for+OAuth+2.0. What happens in here actually is a user can get a SAML token from WSO2 Identity Server by authenticating. After that user can give that SAML token to API Manger to get an OAuth token without going for authentication. To do that WSO2 Identity Server have to be a trusted identity provider for WSO2 API Manager. I will explain how to do it in these products.

You need,
Here a sample web application is using SAML SSO to authenticate it's users using  WSO2 Identity Server  and use SAML2 Bearer Assertion Profile to get OAuth token from WSO2 API Manager. Those tokens are used to query a REST API published in API Manager.

To understand this more I will expalin the flow,
  • When a user access the sample web application using this kind of urls http://example.com/mobile, they will be redirected to WSO2 Identity Server authentication page.
  • When users authenticate them self in the login UI WSO2 Identity Server will redirect the request back to web application with a SAML response like this,
<?xml version="1.0" encoding="UTF-8"?> 
<saml2:Assertion xmlns:saml2="urn:oasis:names: tc:SAML:2.0:assertion" ID="hnpnedgkgdbhinomeabplbjdnhlffjbbckodpkhl" IssueInstant="2014-05-31T15:41:03.665Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#hnpnedgkgdbhinomeabplbjdnhlffjbbckodpkhl">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>KaUzRnwIJfhVboyWpcgg555ea0Y=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            L3jOrttx7+Vb6iBnDV6hu4GRoGDX6k1U2Z+C7XLh7+jgvq53/N7Ro0rY4d4GiJJb5gOcAg3f8qt+gKQbAvcjvbJCRW1x4GFZ0au4iqZUSbHOPYPiIT4mYzxrmZg+cynVN+mrJCEEFdhFaP/3yPITeeapP9Yqp3QvtnbRC6s8ejk=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBg
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">demo</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2014-05-31T15:46:03.664Z" Recipient="http://example.com/mobile/mobile.jsp"/>
        </saml2:SubjectConfirmation>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2014-05-31T15:46:03.664Z" Recipient="https://IP:9448/oauth2/token"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2014-05-31T15:41:03.665Z" NotOnOrAfter="2014-05-31T15:46:03.664Z"
        <saml2:AudienceRestriction>
            <saml2:Audience>exampleMobile</saml2:Audience>             
	    <saml2:Audience>https://IP:9448/oauth2/token</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2014-05-31T15:41:03.665Z" SessionIndex="57c87332-97f2-4fe1-bb70-326c0e59fd36">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
        <saml2:Attribute Name="http://wso2.org/claims/role"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">company_admin,Internal/everyone</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="http://wso2.org/claims/organization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">5386e408b35805c8649e08b8</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion> 
  • By giving this to OAuth token endpoint of API Manger we can get a OAuth token like this,
{"token_type":"bearer","expires_in":3600,"refresh_token":"b75d83e892994882abf3c19cea4db4a2","access_token":"51ee8f8f417f944a4d9c787adc6c260"}
To get this done we need to configure like this,

Step 1 - Start the Identity Server and go to Main Tab > Identity > Service Providers >Add

Enter a Service Provider Name and click Register,


Step 2 - In the next UI select Inbound Authentication Configuration > SAML2 Web SSO Configuration >  Configure

Step 3 - Fill the Like below. Assertion consumer url will be the web application url which will IS sends the SAML response. Give the API Manager's OAuth token url as audience restriction as well as recipient restriction. Also check Enable Attribute Profile to get user attributes with SAML response. And click register.


Step 4 - In the next UI select Claim Configuration > Requested Claims > Add Claim URI. Add the user claims which you need to get it with SAML response to the web application.

Step 5 - Click the Update button to save the Service Provider.

Now the SAML SSO configuration from Identity Server side is done. The web application can be configured using the SAML SSO servlet filter given by the Identity Server it self. That will check user's authentication and will redirect to IS and will process responses form IS. You can find more about that by looking at the code given in https://docs.wso2.org/display/IS500/Configuring+SAML2+SSO.

Now we need to configure API Manger side.
 
Step 1 - Start the API Manger and go to Main Tab > Identity > Identity Providers >Add

Give a Identity Provider Name and  You can keep Alias empty. Also you need to upload the public certificate of Identity Server. You can get it by executing following command in WSO2 IS Home/repository/resources/security/. Then public certificate will be saved in wso2pem.pem file.
keytool -export -alias wso2carbon -file wso2pem.pem -keystore wso2carbon.jks
Then click on Federated Authenticators tab.
Step 2 - In that UI click on SAML2 Web SSO Configuration

In that you need to give the Issuer ID of the SAML config in IS side ad Identity Provider Entity Id.

Step 3 - And then click register.

Now you are ready to go. All the configurations which need to do SAML 2 Bearer Assertion Profile is done. You can use these articles to setup a OAuth application in API Manger to consume APIs.
After doing that follow the steps given in Invoking Token API to generate tokens section of this article. https://docs.wso2.org/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2%28SAMLextensiongranttype%29. By doing that you can get a OAuth token as above.

How to configure LDAP with WSO2 Identity Server with SCIM support - The easy way

If you want to setup your user store in a LDAP and want to integrate it with WSO2 Identity Server which support SCIM operations, you need to do claim mapping as described in this post http://sureshatt.blogspot.com/2013/06/scim-user-provisioning-with-wso2.html. But if you are going to support lot of user attributes in your user store and complex user operations with SCIM, this mapping and configuration will be a headache for you.

Thus I will show you a easy way to setup your own LDAP and WSO2 Identity Server to support all these. I am using the configurations in built in LDAP of WSO2 Identity Server.

What you need,
As  you know the attributes assigned to LDAP users are defined in object classes of LDAP. If you want to add more attributes, You need to add your own object classes. You can find mroe details about those in these articles,

http://hasini-gunasinghe.blogspot.com/2011/02/how-to-introduce-custom-attributes-to.html
http://hasini-gunasinghe.blogspot.com/2011/04/how-to-introduce-custom-object-class-to.html

After adding these classes you need do lot of mapping to integrate LDAP with SCIM and other complex operation support in WSO2 Identity Server. Believe me its hectic. So what we can do? What we can do is setting up our LDAP with the built in LDAP object classes of WSO2 Identity Server. Those classes define the necessary attributes to support complex operation like SCIM etc. You can find these classes here,
You can import to these classes to your ApacheDS LDAP using  Apache Directory Studio. In the 'LDAP Browser' window in Apache Directory Studio, Right click on the 'ou=schema' context entry, select 'Import->LDIF Import' and point to above files and import them.After that your LDAP will support all the user attributes as we see in built in LDAP of WSO2 Identity Server.

After that integrate the LDAP to WSO2 Identity Server by changing user-mgt.xml in WSO2 Identity Server Home/repository/conf. You have to use the read-write ldap mode like this,

        <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
            <Property name="ConnectionURL">ldap://IP:10389</Property>
            <Property name="Disabled">false</Property>                       
            <Property name="ConnectionName">uid=admin,ou=system</Property>
            <Property name="ConnectionPassword">your_password</Property>
            <Property name="passwordHashMethod">PLAIN_TEXT</Property>
            <Property name="UserNameListFilter">(objectClass=person)</Property>
            <Property name="UserEntryObjectClass">identityPerson</Property>
            <Property name="UserSearchBase">ou=Users,dc=example,dc=com</Property>
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
            <Property name="UserNameAttribute">uid</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="EmptyRolesAllowed">false</Property>
            <Property name="GroupSearchBase">ou=Groups,dc=example,dc=com</Property>
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
            <Property name="GroupEntryObjectClass">groupOfNames</Property>
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=? </Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="SharedGroupNameAttribute">cn</Property>
            <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=example,dc=com</Property>
            <Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
            <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
            <Property name="SharedGroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
            <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
            <Property name="SharedTenantNameAttribute">ou</Property>
            <Property name="SharedTenantObjectClass">organizationalUnit</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="SCIMEnabled">true</Property>
        </UserStoreManager>



Also you need to create a admin user in your user search base. That is to log in to the management console. To understand more about the internal LDAP of WSO2 Identity Server you can connect to it via Apache Directory Studio. You can refer,

http://stackoverflow.com/questions/22494921/wso2-identity-server-ldap-browsing
http://stackoverflow.com/questions/11841761/browsing-internal-ldap-of-wso2-identity-server

Hope this helps you to setup your user store easily.

How to send a custom HTTP header to backend through WSO2 API Manager

When you publish a API using WSO2 API Manager it creates this kind of API configuration in built in service bus.

<api name="admin--Example_Rest_API" context="/exampleAPI" version="1.0.0" version-type="url">
        <resource methods="POST GET DELETE OPTIONS PUT" url-mapping="/*">
            <inSequence>
                <property name="POST_TO_URI" value="true" scope="axis2"/>
                <filter source="$ctx:AM_KEY_TYPE" regex="PRODUCTION">
                    <then>
                        <send>
                            <endpoint name="admin--Emojot_Rest_API_APIproductionEndpoint_0">
                                <http uri-template="http://localhost:3000">
                                    <timeout>
                                        <duration>30000</duration>
                                        <responseAction>fault</responseAction>
                                    </timeout>
                                    <suspendOnFailure>
                                        <errorCodes>-1</errorCodes>
                                        <initialDuration>0</initialDuration>
                                        <progressionFactor>1.0</progressionFactor>
                                        <maximumDuration>0</maximumDuration>
                                    </suspendOnFailure>
                                    <markForSuspension>
                                        <errorCodes>-1</errorCodes>
                                    </markForSuspension>
                                </http>
                            </endpoint>
                        </send>
                    </then>
                    <else>
                        <sequence key="_sandbox_key_error_"/>
                    </else>
                </filter>
            </inSequence>
            <outSequence>                
                <send/>
            </outSequence>
        </resource>
        <handlers>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.APIThrottleHandler">
                <property name="id" value="A"/>
                <property name="policyKey" value="gov:/apimgt/applicationdata/tiers.xml"/>
            </handler>
            <handler class="org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageHandler"/>
            <handler class="org.wso2.carbon.apimgt.usage.publisher.APIMgtGoogleAnalyticsTrackingHandler"/>
            <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/>
        </handlers>
    </api>

When you want to send a custom HTTP header in the API request, you need to add this property to the out sequence of API. customHeader is the name of the header.

 <property name="Access-Control-Allow-Headers" value="customHeader,authorization,Access-Control-Allow-Origin,Content-Type" scope="transport"/>