Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# Passing a Custom Authorization Token to the Backend

When you send an API request to the backend, you pass a token in the `Authorization` header of the request. 
The API Gateway uses this token to authorize access, and then drops it from the outgoing message.  If you wish to use a
different (or a custom generated) authorization token than the application generated access token, you can use it as a
token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization
The API Gateway uses this token to authorize access, and then drops it from the outgoing message.  If you wish to use a
different (or a custom generated) authorization token than the application generated access token, you can use it as a
token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization
token that is different to the authorization token generated for the application.

In this tutorial, you have a sample JAX-RS backend and it always expects 1234 as the authorization token. In your API
request, you pass the token that is generated in the `Authorization` header, and 1234 in a `Custom` header.
The mediation extension you write extracts the value of the `Custom` header, and sets it as the `Authorization` header
In this tutorial, you have a sample backend that always expects 1234 as the authorization token. In your API
request, you pass the token that is generated in the `Authorization` header, and 1234 in a `Custom` header.
The mediation extension you write extracts the value of the `Custom` header, and sets it as the `Authorization` header
before sending it to the backend.

Here's a summary:
Expand All @@ -18,56 +18,81 @@ Here's a summary:
1. Add the following sequence content to a file and save it as `tokenExchange.xml`.

!!! example
```xml
<sequence xmlns="http://ws.apache.org/ns/synapse" name="TokenExchange">
<property name="Custom" expression="get-property('transport', 'Custom')"/>
<property name="Authorization" expression="get-property('Custom')" scope="transport"/>
<property name="Custom" scope="transport" action="remove"/>
</sequence>
```xml
<sequence xmlns="http://ws.apache.org/ns/synapse" name="TokenExchange">
<property name="CustomValue" expression="get-property('transport', 'Custom')"/>
<property name="Authorization" expression="get-property('CustomValue')" scope="transport"/>
<property name="Custom" scope="transport" action="remove"/>
</sequence>
```

2. Start the sample backend server. Let's use the custom authorization token sample backend server as the backend for the API. It accepts any path and method, and authorizes a request only when the `Authorization` header is exactly `Bearer 1234`. On success it returns HTTP 200 with "Request Received."; otherwise HTTP 401.

1. Clone the [WSO2 API Manager Samples](https://github.com/wso2/samples-apim) repository.

```bash
git clone https://github.com/wso2/samples-apim
```

2. Navigate to the `custom-auth-token-backend` directory.

```bash
cd samples-apim/custom-auth-token-backend
```

2. Log in to the **API Publisher**, create a new REST API with the information given in the table below by following the instructions in [Create a REST API]({{base_path}}/design/create-api/create-rest-api/create-a-rest-api/).
3. Run the server.

```bash
python3 server.py
```

Once the above steps are done, the backend server will be running on `http://localhost:8080`.
[![CLI output]({{base_path}}/assets/img/learn/custom-auth-backend-cli-output.png){: style="width:65%"}]({{base_path}}/assets/img/learn/custom-auth-backend-cli-output.png)

Incoming requests and their headers are printed directly to the terminal, so you can verify what the gateway forwarded to the backend.

3. Log in to the **API Publisher**, create a new REST API with the information given in the table below by following the instructions in [Create a REST API]({{base_path}}/design/create-api/create-rest-api/create-a-rest-api/).

| Field | Sample Value |
|---------------|----------------------|
| Name | TestCustomHeader |
| Context | /testcustomheader |
| Version | 1.0.0 |
| Endpoint | http://wso2cloud-custom-auth-header-sample-1-0-0.wso2apps.com/custom-auth-header/validate-header |
| Endpoint | http://localhost:8080/custom-auth-header/validate-header |

3. Navigate to the **API Configurations** --> **Policies** tab. Create a new policy with the information given in the table below by following the instructions in [Create a Policy]({{base_path}}/design/api-policies/create-policy/).
4. Navigate to the **API Configurations** --> **Policies** tab. Create a new policy with the information given in the table below by following the instructions in [Create a Policy]({{base_path}}/design/api-policies/create-policy/).

| Section | Field | Sample Value |
|---------------------------|-------------------|-----------------------|
| General Details | Name | Custom Authorization Token |
| | Version | 1.0 |
| Section | Field | Sample Value |
|---------------------------|-------------------|-----------------------------------------------------|
| General Details | Name | Custom Authorization Token |
| | Version | 1.0 |
| | Description | Passing a custom authorization token to the backend |
| | Applicable Flows | Request |
| | Supported API Types | HTTP |
| Gateway Specific Details | Policy File | `tokenExchange.xml` file you created |
| Policy Attributes | N/A | N/A |
| | Applicable Flows | Request |
| | Supported API Types | HTTP |
| Gateway Specific Details | Policy File | `tokenExchange.xml` file you created |
| Policy Attributes | N/A | N/A |

4. Next, find the **Custom Authorization Token** policy that you just created by following Step 3, from the `Request` tab of the policy list. Drag and drop this policy to the desired API operation(s) by following the instructions in [Attach Policies]({{base_path}}/design/api-policies/attach-policy/).
5. Next, find the **Custom Authorization Token** policy that you just created by following Step 4, from the `Request` tab of the policy list. Drag and drop this policy to the desired API operation(s) by following the instructions in [Attach Policies]({{base_path}}/design/api-policies/attach-policy/).

[![Custom Authorization Token Policy]({{base_path}}/assets/img/design/api-policies/custom-authorization-token-policy.png)]({{base_path}}/assets/img/design/api-policies/custom-authorization-token-policy.png)

5. Finally, scroll down and click on the **Save** button in order to apply the attached policies to the API.
6. Finally, scroll down and click on the **Save** button in order to apply the attached policies to the API.

[![Disable Chunking]({{base_path}}/assets/img/design/api-policies/save-api-for-custom-authorization-token-policy.png)]({{base_path}}/assets/img/design/api-policies/save-api-for-custom-authorization-token-policy.png)

6. Make sure to navigate to the **Deployments** tab and click on **Deploy New Revision** button. Also, if the API is not in `PUBLISHED` state, navigate to the **Lifecycle** tab and publish your API.

5. Go to the **Developer Portal**, subscribe and obtain a token to invoke the published API.
7. Make sure to navigate to the **Deployments** tab and click on **Deploy New Revision** button. Also, if the API is not in `PUBLISHED` state, navigate to the **Lifecycle** tab and publish your API.

8. Go to the **Developer Portal**, subscribe and obtain a token to invoke the published API.

!!! tip
Follow the instructions in [here]({{base_path}}/consume/manage-application/generate-keys/generate-api-keys/#generating-application-keys) to generate an application access token.
!!! tip
Follow the instructions in [here]({{base_path}}/consume/manage-application/generate-keys/generate-api-keys/#generating-application-keys) to generate an application access token.

6. Install any REST client in your machine. We use [cURL](http://curl.haxx.se/download.html) here.
9. Install any REST client in your machine. We use [cURL](http://curl.haxx.se/download.html) here.

7. Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that
the backend expects, i.e., 1234, in the **`Custom`** header with the authorization token that the system generates in
the **`Authorization`** header.
10. Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that
the backend expects, i.e., 1234, in the **`Custom`** header with the authorization token that the system generates in
the **`Authorization`** header.

!!! example

Expand All @@ -82,12 +107,12 @@ the **`Authorization`** header.
```

!!! info
- **<access token&gt;** is the token that you got in step 7.
- **<API URL&gt;** appears on the API's **Overview** page in the API Developer Portal. Copy the HTTP endpoint.
If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
- **<access token&gt;** is the token that you got in step 8.
- **<API URL&gt;** appears on the API's **Overview** page in the API Developer Portal. Copy the HTTP endpoint.
If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.

24. Note the response that you get in the command line. According to the sample backend used in this tutorial,
you get the response as "Request Received."
11. Note the response that you get in the command line. According to the sample backend used in this tutorial,
you get the response as "Request Received.". You can also check the backend server's terminal to verify that the `Authorization` header received by the backend is `Bearer 1234` (swapped in from the `Custom` header) and that the `Custom` header has been removed.

[![]({{base_path}}/assets/img/learn/api-gateway/message-mediation/custom-header-response.png)]({{base_path}}/assets/img/learn/api-gateway/message-mediation/custom-header-response.png)

Expand Down