Skip to main content

OAuthAdminService in WSO2 Identity Server 5.0



Admin Services

WSO2 Identity Server exposes SOAP base services for management purposes. Those are known as admin services. You can list down all the admin services by starting following ways.

Step 1. Start the server with -DosgiConsole .
For Linux, and Windows respectively.
> sh wso2server.sh -DosgiConsole
> wso2server.bat -DosgiConsole
Step 2. when server started,  type listAdminServices
osgi> listAdminServices

 

OAuthAdminService

There is a SOAP based admin service called "OAuthAdminService" that exposes methods to retrieve the authorized apps for given user and revoke them when user required. 

Ex use case:-
List all the oAuth applications a user has approved and revoke each of them if required for a particular user.

 
Note :-
You have to change HideAdminServiceWSDLs property in carbon.xml file before you access Admin Services in carbon products.Default value is true.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
WSDL file :
https://{Hostname}:{port}/services/OAuthAdminService?wsdl



Following methods can be used 

To retrieve authorized apps ==> "getAppsAuthorizedByUser"

To revoke authorized apps ==> "revokeAuthzForAppsByResoureOwner"

When you create a project using wsdl file, you can test below APIs using soapui.


1. getAllOAuthApplicationData()
- using this API, it returned all Applications related to particular user
 

2. getAllowedGrantTypes()
 - Returned all allowed grant types for particular user 



 3. getAppsAuthorizedByUser()

 This API retrieve applications for particular user. user name is taken from credentials. user doesn't have any applications for admin user in following screen.


4. revokeAuthzForAppsByResoureOwner()

 By using this api, user can revoke an applications by name. According to the below request, response returned false, because there is no any applications called "app1" for particular credentials.


The users provisioned in this scenario should have the login permission. Both the required service methods getAppsAuthorizedByUser() and revokeAuthzForAppsByResoureOwner() required login permission (/permission/admin/login).

 You have 2 options to achieve this,

1) Assigning login permission to Internal/everyone role. (This is the simplest solution).

2) Define a special role with login permission and assign that role to the user in the provisioning time.


If you selected 2nd option, you have to add addUser() method to custom grant handler,

com.synchronoss.oauth2.token.handlers.grant.UserStoreUtils class should be updated as follows.



public static void addUser(String userName, Map<String, String> claimMap) throws IdentityOAuth2Exception {
    try {
        UserStoreManager userStoreManager = getUserStoreManager(userName);
        userStoreManager.addUser(userName, generatePassword(), null, claimMap, null);
        userStoreManager.updateRoleListOfUser(userName, null, new String[]
                {"roleNameWithLoginPermissino"}
         );
      PermissionUpdateUtil.updatePermissionTree(getTenantId(userName));
     } catch (UserStoreException e){ 
         throw new IdentityOAuth2Exception("UserStoreException while trying to check whether the user exists. ", e); 
      }
}



You can test following APIs using soap ui



    getOAuthApplicationData()

    getOAuthApplicationDataByAppName()

    registerOAuthApplicationData()

    registerOAuthConsumer()

    removeOAuthApplicationData()

    updateConsumerApplication()


If you want to create a service provider using admin service, you have to use  IdentityApplicationManagementService. 

 

Comments

Post a Comment

Popular posts from this blog

Reverse Proxy configuration with WSO2 Identity Server 5.0.0

Reverse proxy is a type of a proxy which can hide back end servers from the client applications. According to the above figure, Original servers are not exposed to the internet. Only reverse proxy is exposed to the internet.Client knows only the reverse proxy IP address. So he thinks that he is sending a request to the reverse proxy.He doesn't know anything about the original server. You can avoid some attacks using this architecture. Today I'm going to configure Apache HTTPD server(reverse proxy) and WSO2 identity server 5.0. Please download WSO2 identity server 5.0 from here You can install apache httpd server using below commands sudo apt - get update sudo apt - get install apache2 Restart the newly install apache server sudo service apache2 restart Apache is a modular server. This implies that only the most basic functionality is included in the core server.So You have to enable few other required features. Please use below command
Post a Comment
Read more

Essential Debug Logs for WSO2 Identity Server

Essential Debug loggers for WSO2 Identity Server  When you are working with WSO2 products, you have to enable debug logs to investigate issues. Its better to enable debug logs only for particular module that you need to investigate. It reduce debug writing time and unnecessary debug reading time.So you can easily understand the root cause when you are reading the console.I'm going to discuss about debug lines one by one. You have to add debug line to [WSO2_HOME]\repository\conf\log4j.properties file, all debug lines are displayed in the console and write to the wso2carbon.log file. To enable loggers for user core.This is helpful to investigate user related issues. log4j.logger.org.wso2.carbon.user.core=DEBUG      To enable debug logs for identity module. This debug log will be helpful to investigate identity related issues. log4j.logger.org.wso2.carbon.identity=DEBUG If you need to investigate saml assertion or assertion related issue, you can enable debug
Post a Comment
Read more

CURL commands to get access token from WSO2 Identity Server

WSO2 Identity server supports all grant types those are defined in oAuth2 core specification Four grant types: Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant (password) Client Credentials Grant We cannot use curl command directly to get an access token for Authorization code grant type and Implicit grant type. I'm going through other two grant types one by one and provide the curl command to get access token. 3. Get access token using password grant type curl -k -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd0dE1h, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd is the encoded value of 0N_mwVEzSVx_jRHl5vrg8Dr2pvAa:tFfcpuEDS9WWvxQDsVBwKVTgttMa (<client_id>:<client_secret>). these
Post a Comment
Read more