The WSO2 API Manager has a capability to integrate with a third party IAM product to handle the clients, security and OAuth tokens. WSO2 API Manager has five main components as Publisher, Developer portal, Key manager, Gateway and Traffic manager.
The API developer portal makes the request to the key manager to create / edit / delete an OAuth application, generate the consumer key and secret, and generate the application token.
The API gateway makes the request to the key manager to validate the application token. These validations may include subscription validation and scope validation as well.
In this blog I discuss how to integrate Keycloak with WSO2 API Manager to provide the key management features as a third party key manager. We will be using the Keycloak 10.0.1 version and WSO2 APIM 2.6.0 version.
Key Manager extension point in WSO2 APIM
The Key Manager interface facilitates the bridging between the OAuth provider and WSO2 API Manager by providing many methods to implement according to the third-party Key Manager API specification to build third-party key manager extension. This extension needs to be built as a JAR file so it can be deployed as a library inside the APIM by changing the api-manager.xml allows the extension point.
The API Manager provides some generic method implementation via the AbstractKeyManager abstract class, so we need to extend the AbstractKeyManager class in our implementation.
As you can see in the above diagram there are many methods in this interface. We have to override and implement at least the below set of methods in our KeyManager implementation in order to integrate with Keycloak. We should refer the Keycloak API documentation when we are implementing each method.
For example, when API Developer portal is calling the createApplication method we have to call the corresponding API in the Keycloak to create an OAuth application in Keycloak side.
We have to make sure the return object from each method contains the proper data otherwise API Developer portal UI will brake while rendering the information.
| METHOD | DESCRIPTION |
| createApplication | Creates a new OAuth application in the Authorization Server. |
| updateApplication | Update the OAuth application created in above method. |
| deleteApplication | Delete the OAuth application. |
| retrieveApplication | Retrieving the OAuth application details. |
| getNewApplicationAccessToken | Generating a new access token to be shown in the API developer portal after clicking āGenerate Keysā and āRegenerate Keysā. |
| getTokenMetadata | Gets details about an access token. This method will be invoked during the token validation phase upon an API invocation. |
Keycloak configuration
Keycloak provides a REST APIs set for developers to interact with. These APIs are secured with OAuth 2.0, so before you call an API, first you need the access token. To get it, we should have a realm, client and user account with relevant permission in Keycloak side. In this section we will discuss how we can register those in Keycloak.
Prerequisite
Download the Keycloak 10.0.1 version, extract it and run the product.
Create an admin account.
Create a new realm
- Login to the admin console by typing the http://127.0.0.1:8080/auth/admin in the address bar.
- Click on the Add realm button.
- Provide the realm name as āapimā and hit the āCreateā button.
You will be redirected to the realm setting page.
Create a client
- From the left menu click on the āClientsā.
- Now click on the āCreateā button.
Enter the āClient IDā as āapim-clientā and hit the āSaveā button.
You will be redirected to the client settings page.
Create a user and grant permission
- Click the āUsersā on left menu and click on the āAdd userā.
- Create a user with the name āapim-userā.
- Set a password to the created user using the āCredentialsā tab in the user settings page.
Make sure to turn off the āTemporaryā toggle in this window. - Now click on the āRole Mappingā tab to assign the role to our user.
- Select the āRealm Managementā from āClient Rolesā drop down and select all roles from the āAvailable Rolesā box. Add the selected roles by clicking āAdd Selectedā button.
Now we have done all the configurations in the Keycloak side. Next step is to configure the API Manager. The API Manager will require the above details to integrate with Keycloak and below is the summary:
Realm: apim
Client: apim-client
Username: apim-user
User password: apimuser.123
Keycloak-WSO2 APIM integration java extension
As mentioned above, we have to implement the Java code and deploy it as a library to integrate API Manager with Keycloak. In this section we will discuss how we can implement the code and how to deploy it in the API Manager.
Keycloak key manager java code
As discussed above, we have to implement Java code at least for the methods mentioned in the ātable 1ā.
You can find the sample Keycloak integration Java code implementation on GitHub. With your business use case and with your requirement, you may change the implementation accordingly.
Clone the repository and build the code using Maven.
WSO2 API Manager configuration
-
- Coping the JAR file to lib
We have to copy the JAR file created above to the API Manager lib directory.
- Keycloak configuration in api-manager.xml
Java extension refers some configuration parameters from the api-manager.xml file. So those need to be defined in the xml file. Below table contains these parameters.
- Coping the JAR file to lib
| keycloakInstanceUrl | URL of the Keycloak server. | http://127.0.0.1:8080 |
| keycloakRealmName | Realm name provided in above Keycloak configuration | apim |
| client_id | Client_id from client creation in Keycloak | apim-client |
| username | Used username in above when creating a user in Keycloak | apim-user |
| password | Password we have given in above when creating a user in Keycloak | apimuser.123 |
In the api-manager.xml file, the configuration should be done under the element <APIKeyManager></APIKeyManager>.
<APIKeyManager
Ā Ā <KeyManagerClientImpl>org.wso2.keycloak.client.KeycloakClient</KeyManager ClientImpl>
Ā Ā <Configuration>
Ā Ā Ā <keycloakInstanceUrl>http://localhost:8080</keycloakInstanceUrl>
Ā Ā Ā <keycloakRealmName>apim</keycloakRealmName>
Ā Ā Ā <client_id>apim-client</client_id>āØ
Ā Ā Ā <username>apim-user</username>
Ā Ā Ā <password>apimuser.123</password>
Ā Ā </Configuration>
</APIKeyManager>- The API Manager should retrieve the token from Keycloak and validate it as per our implementation. In the API Manager there is a synapse configuration file which defined the token endpoint. The endpoint is, by default distribution, configured to the local key manager server. And as we are integrating a third-party key manager, we have to change this synapse API endpoint to Keycloak server token endpoint.Keycloak server token endpoint: http://localhost:8080/auth/realms/apim/protocol/openid-connect/token
Note: In the Keycloak server token endpoint URL, ā/apim/ā context path is a realm name. You may need to replace it with your appropriate realm name. Keycloak documentation reference for theĀ token endpoint.
Open the _TokenAPI_.xml file located in the {APIM_Home}/repository/deployment/server/synapse-configs/default/api/ and update the endpoint to above URL.
Now our setup is completed in terms of the configuration points. Restart / start the Keycloak and the WSO2 API Manager using the startup scripts which are located in the bin directory.
Testing the integration
- Deploy the sample API using the API publisher. After that you would be able to view your sample API, PizzaShackAPI , in API store.
- Create a new OAuth application named as āKeycloakAppā in the API store.
- Go to the create application page and generate the keys. Enter the callback URL as https://localhost.
- Refresh the page so you will be able to see the client application key and the secret. Now our OAuth client is registered in the Keycloak and the client key and secret are generated from the Keycloak end.
- To generate the token, you may use the curl or web interface. Here Iām just using the web interface āRegenerateā button. Once the token is generated copy the token from here to the other location.
- Go to the API and subscribe to the āKeycloakAppā application.
- Now we have a valid access token as well as the application subscription so we would be able to call our API.
Yenlo is the leading, global, multi-technology integration specialist in the field of API-management, Integration technology and Identity Management. Known for our strong focus on best-of-breed hybrid and cloud-based iPaaS technologies. Yenlo is the product leader and multi-award winner in WSO2, Boomi, MuleSoft and Microsoft Azure technologies and offers best-of-breed solutions from multiple leading integration vendors.
With over 240+ experts in the API, integration, and Identity Access Management domain and over $35 million in annual revenue, Yenlo is one of the largest and best API-first and Cloud-first integration specialists worldwide.
