Tuesday, February 15, 2011

2-legged OAuth for securing a RESTful service

This is step by step guide to secure a RESTful service with 2-legged OAuth using WSO2Identity Server and WSO2ESB.

1. Download latest versions of WSO2Identity server and WSO2ESB from here.

2. Extract WSO2Identity and WSO2ESB zip files in to a directory in your file system. Lets call them as IS_HOME and ESB_HOME respectively

3. Start WSO2Identity and WSO2ESB by running  wso2server.sh (in unix) or wso2server.bat (in windows)  which can be found in IS_HOME/bin and ESB_HOME/bin directory respectively.
If  Both servers are running in the localhost, You should change the default ports.
Here I changed the WSO2ESB https port to 9445 and  http port to 9765 (default 9443 and 9763 respectively) by configuring mgt-transport.xml  which can be found in ESB_HOME/repository/conf

4. Go to WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/

5. Register a User with WSO2Identity Server by providing User name and password.

6. Download sample OAuth client source code from following svn location

You can build the sample using maven (mvn clean install) or add the jars in IS_HOME/repository/components/plugins directory to sample project class path.

7. Go to ESB Management console by pointing your browser to https://localhost:9445/carbon/  and sign-in to it by providing admin user name and password. 

8. Create a proxy service in WSO2ESB by adding following configuration in to the service bus configuration which can be found under Manage ->Service Bus -> Source View 

(or simply update the synapse configuration of ESB with the content in org.wso2.carbon.identity.samples.oauth/src/main/resources/synapse.xml)

   <proxy name="OAuthProxy" transports="https http" startOnLoad="true" trace="disable">
                <oauthService remoteServiceUrl="https://localhost:9443/services/"/>
                        <address uri="http://localhost:8280/services/echo" format="rest"/>
             Please note that remoteServiceUrl contains the Host name and the port that WSO2Identity server is running.
9. Run sample Client........ Make sure to update variables  IDENTITY_SERVER, ESB_SERVER, USER_NAME, PASSWORD according to your configurations

Lets briefly go through the scenario and identity what is happening here
  • Register user with WSO2Identity Server.
  • Consumer secret is registered with WSO2Identity Server 
            1. Invoke AuthenticationAdmin  service and user is authenticated with WSO2ISentity server
            2. Invoke OAuthAdminService service and register consumer secret.

  •  Consumer key would be the User Name of the User  
  • Generate OAuth Authorization header and Sign it with OAuth Consumer Secret
  • Invoke the proxy service which is deployed in ESB
  • OAuth mediator in ESB invoke the OAuthService  in WSO2Identity Server to verify that consumer is valid.
  • Verify consumer key (Valid User ?) and Verify oauth_signature value using consumer secret  which has been registered by the user.
  • If Signature verification is done, request is Authenticated, and send it to the RESTful service



  1. Is there a way that we can use OAuth service of the identity server with an Android Application?

  2. Hi
    If it possible, please upload the sample code.
    I have a lot of problem about maven.
    So thanks...

  3. I try to download the sample but 404....please reupload

  4. check new url:


  5. In the same tutorial the given sample client code is not available https://svn.wso2.org/repos/wso2/trunk/carbon/components/identity/org.wso2.carbon.identity.samples.oauth
    This url isn't working

  6. I couldn't resolve the following two classes in the sample client code
    Please help me..

  7. Have the same issue. Didn't managed to execute the sample with IS 500

    1. Add following dependencies: