This is step by step guide to secure a RESTful service with 2-legged OAuth using WSO2Identity Server and WSO2ESB.
1. Download latest versions of WSO2Identity server and WSO2ESB from here.
2. Extract WSO2Identity and WSO2ESB zip files in to a directory in your file system. Lets call them as IS_HOME and ESB_HOME respectively
3. Start WSO2Identity and WSO2ESB by running wso2server.sh (in unix) or wso2server.bat (in windows) which can be found in IS_HOME/bin and ESB_HOME/bin directory respectively.
If Both servers are running in the localhost, You should change the default ports.
Here I changed the WSO2ESB https port to 9445 and http port to 9765 (default 9443 and 9763 respectively) by configuring mgt-transport.xml which can be found in ESB_HOME/repository/conf
4. Go to WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/
5. Register a User with WSO2Identity Server by providing User name and password.
6. Download sample OAuth client source code from following svn location
You can build the sample using maven (mvn clean install) or add the jars in IS_HOME/repository/components/plugins directory to sample project class path.
7. Go to ESB Management console by pointing your browser to https://localhost:9445/carbon/ and sign-in to it by providing admin user name and password.
8. Create a proxy service in WSO2ESB by adding following configuration in to the service bus configuration which can be found under Manage ->Service Bus -> Source View
(or simply update the synapse configuration of ESB with the content in org.wso2.carbon.identity.samples.oauth/src/main/resources/synapse.xml)
<address uri="http://localhost:8280/services/echo" format="rest"/>
Lets briefly go through the scenario and identity what is happening here
- Register user with WSO2Identity Server.
- Consumer secret is registered with WSO2Identity Server
1. Invoke AuthenticationAdmin service and user is authenticated with WSO2ISentity server
2. Invoke OAuthAdminService service and register consumer secret.
- Consumer key would be the User Name of the User
- Generate OAuth Authorization header and Sign it with OAuth Consumer Secret
- Invoke the proxy service which is deployed in ESB
- OAuth mediator in ESB invoke the OAuthService in WSO2Identity Server to verify that consumer is valid.
- Verify consumer key (Valid User ?) and Verify oauth_signature value using consumer secret which has been registered by the user.
- If Signature verification is done, request is Authenticated, and send it to the RESTful service