WSO2 App Manager is a complete solution for publishing and managing all aspects of an application and its lifecycle. 100% open source, it also provides an unique one-stop store solution where users can pick and choose apps, and is highly scalable. Businesses can leverage WSO2 App Manager’s Single-Sign-On (SSO) functionality, which reduces help desk and administrative costs with no long lists of passwords required. It also automatically applies a security layer on top of the Web apps published in the store, which eliminates the need to embed security rules at the application layer, making it a very robust solution.
As part of its latest release, the REST API was developed as a CXF REST web application running on WSO2 App Manager. This API comes with a pluggable security mechanism. Since API security is implemented as a CXF handler, if you need to plug a custom security mechanism, you can write your own handler and add it to the web service. This REST API is implemented based on REST best practices and specifications. API development is started with a swagger specification for Store and Publisher operations.
Before invoking the API with the access token, obtain the consumer key/secret key pair by calling the dynamic client registration endpoint. You can request an access token with the preferred grant type. An example is shown below,
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type:
application/json" -d @payload.json
http://localhost:9763/api/appm/oauth/v1.0/registerSample request:
{
"callbackUrl": "www.google.lk",
"clientName": "rest_api_store",
"tokenScope": "Production",
"owner": "admin",
"grantType": "password refresh_token",
"saasApp": true
}Sample response:
{
"callBackURL": "www.google.lk",
"jsonString":
"{
\"username\":\"admin\",
\"redirect_uris\":\"www.google.lk\",
\"tokenScope\":[Ljava.lang.String;@3a73796a,
\"client_name\":\"admin_rest_api_store\",
\"grant_types\":\"authorization_code password refresh_token iwa:ntlm
urn:ietf:params:oauth:grant-type:saml2-bearer client_credentialsimplicit\"
}",
"clientName": null,
"clientId": "HfEl1jJPdg5tbtrxhAwybN05QGoa",
"clientSecret": "l6c0aoLcWR3fwezHhc7XoGOht5Aa"
}During the API invocation process request, click the CXF handler first, which calls an introspection API to validate the token. Generate the access token using the already created OAuth application. A sample call to generate the access token is shown below.
curl -k -d
"grant_type=password&username=admin&password=admin&scope=apim:subscribe" -H
"Authorization: Basic
SGZFbDFqSlBkZzV0YnRyeGhBd3liTjA1UUdvYTpsNmMwYW9MY1dSM2Z3ZXpIaGM3WG9HT2h0NUFh"
https://127.0.0.1:9763/oauth2/tokenToken response:
{
"scope":"appm:read",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"33c3be152ebf0030b3fb76f2c1f80bf8",
"access_token":"292ff0fd256814536baca0926f483c8d"
}Now you have a valid access token, which you can use to invoke an API. Navigate through the API descriptions to find the required API, obtain an access token as described above and invoke the API with the authentication header. If you use a different authentication mechanism, this process may change.