Set of Policies help you to integrate/connect the Axway API-Management solution with the external Identity-Provider: https://auth0.com. The purpose is to provide Application-Developers Self-Service capabilities they want using an API-Developer-Portal including API-Subscrioptions. On the other hand use a dedicated solution for Identity- & Token-Management.
With this project the following flow is supported:
- An Application Developer is using the API-Developer-Portal to create consuming applications & generate Application-Credentials (Client-ID & Secret)
- Application credentials generated in API-Portal will be provided/generated by Auth0
- Now an Application Developer can obtain an Access Token from Auth0
- And call a protected API at the API-Management solution with that access token
- The API-Management solution validates the token, identify the consuming application, approves API Access and apply quotas
- An API-Administrator can manage API-Access (Disable the Application, remove the API-Subscription, Monitor consumption, etc.)
This artefact can be used with Axway API Management version 7.6.2 and higher
An Auth0 Account - https://manage.auth0.com
The API-Management solution will use the Auth0 Management REST-API to integrate. This API is secured by OAuth.
Login to your Auth0 Management console and make sure you have selected the correct tenant in the upper right corner. Now an application must be created, that corresponds to your API-Management solution and is used to access the Auth0 Management REST-API. Steps needed:
- Applications sections
- Create application
- Name it e.g. Axway API-Management
- Type: Machine to Machine app.
- Create
- Select Auth0 Management API
- Authorize (here you may restrict permissions of this application)
- In the settings tab please note the Client ID & Secret for later
Later, when issuing access tokens, they will be issued only for a certain usage (audience) and this is named in Auth0 an API. Before creating an API, please note your Auth0-Tenant-ID shown as audience for the Auth0 Management API:
Create an API in Auth0:
- APIs section
- Create API
- Give it a friendly name: e.g. "My APIs", meaning, that these tokens can only be used to access APIs on your API-Management platform
- Provide the Identifier: e.g. https://api.customer-name.com - Will be used to validate the token at API-Management runtime.
- Leave the default Signing Algorithm
With that, we are done with the basic Auth0 setup. More advanced configuration is not in scope of this document.
The first step is to import the pre-configured Policy-Set and KPS-Collection.
After import they will appear in the following container:
In addtion you need to the import the KPS-Collection, which will create the required Cassandra-DB table, during deployment:
To communicate with the Auth0 Management API an Access-Token is needed, which will be generated by the API-Gateway automatically, when needed. However, you need to setup the required Auth0 Token-Endpoints and Client-Credentials created before.
- In Enviroment configuration -> External Connections -> Client Credentials -> OAuth2
- Select Auth0 - Which has been imported with the Policy XML-Fragment
- In tab: "OAuth2 Credentials" edit the existing entry
- Add the Client-Id & Secret you have noted from the steps at Auth0
- In the tab: "OAuth2 Provider Settings"
- Fill in your tenant information, also noted from Auth0 above
With that, the API-Gateway is able to automatically get an access token, when communicating with the Auth0 Management API.
As the API-Management platform must communicate with your Auth0 tentant, the right tenant must be configured in some places.
Create a new EnvSettings property Open /groups/group-/instance-/conf/envSettings.props Add a new propery: env.auth0_domain=<Your_Auth0_Tenant_Id> (e.g. test-axway.eu.auth0.com)
Open the Policy: Identity Provider/Auth0/Auth0 - Validate Token Edit the filter: Check token details that it corresponds to you Audience & Tentant
Open the Policy: Identity Provider/Auth0/Auth0 - AppCredentials Created Edit the filter: Create Client-Grant message and adjust the identifier for your API (Audience) to what you have configured.
Please make sure, in the API-Manager the following alerts are enabled. They are used to communicate with Auth0 for the required actions:
At runtime, tokens issued by Auth0 must be validated by the API-Manager. For this APIs will be protected with the security device "OAuth (External)" and a custom policy is doing the validation.
Steps to set this up:
- In PS -> Server settings -> API Manager -> OAuth Token Information Policies
- The Policy: "Auth0 - Token validation" is configured
- In API-Manager Web-UI open a Front-End API (state: unpublished)
- Configure Inbound security to: OAuth (External)
- Select the Policy: "Auth0 - Token validation"
To test the integration just create an application in API-Portal and in the Authentication tab, generate an "External OAuth Credential". The Credentials you provide in this dialog doesn't matter, as it will be overwritten by the Client-ID generated by Auth0.
So, for each Client-Id in the Authentification tab, one Application in Auth0 is generated. Deleting the Client-ID or the application in API-Portal, will delete all belonging applications in Auth0.
It's recommended to customize the API-Portal to have a dedicated section for Client-ID handling with Auth0 instead of using the standard External credentials section, but this is out of scope for now.
- 0.0.1 - 06.09.2018
- Initial version
- Enabling / Disabling of Client-IDs isn't supported, as Auth0 doesn't support it
- API-Portal customizing is not described / included
- displaying the generated secret would be part of API-Portal customizing as well
Please read Contributing.md for details on our code of conduct, and the process for submitting pull requests to us.
Axway Team