How to implement Role based access control in API using WSO2 stack

Question

We are using WSO2IS as IAM server , roles and Users are managed in WSO2IS. WSO2EI WILL be integration server , exposing private APIs

What would be the right way to implement role based access control using , like some set of APIs only to be accessed by users with specific groups. How can I implement this most simplest way ? Is there a requirement of WSO2AM here ?

Thanks

Answer 1

EI is not the ideal way to exposing private oauth secured APIs. Even though you can achieve it with EI, that would be an excessive effort when integrating.

Use API Manager to expose the APIs to your crowd. Configure Identity Server as the Key Manager (Token Manager) of the APIM server. APIM server knows how to talk to the Identity Server to generate and validate access tokens. So there's no explicit effort to integrate the resource server(APIM Gateway) with the authorization server(IAM).

1. Share the user store between both the servers. (IS and APIM)
2. Configure IS as the Key Manager of the API server.
3. Register your API in the publisher/developer portal.
4. When publishing, you can define role based access restrictions to your API resources from the Publisher portal. (Roe : Scope mapping)
5. Once you define, IS will always check your roles upon providing an access token for you.

As you've already defined a role : scope mapping, scopes you request in your token generation request, will only be accepted if you (requester) has the expected roles. Therefore, the scope of your token will only be as good as the roles you've got assigned to yourself. Now, as the API resources you've published require a defined set of scopes, not all the access tokens will be accepted when trying to access the APIs. Only the ones with the expected scopes.

Configure IS-KM with APIM

Role based scopes