Using A Third-Party IdP¶

Follow the instructions below to use any third-party Identity Provider (IdP) to authenticate the APIs that belong to a specific Organization:

Prerequisites¶

IDP needs to be an OIDC compliance.
Access Token needs to be JWT token.
Access token able to validate from certificate (certificate file/jwks).
Required Claims to be include in JWT token
- username
- users organization
- scopes requested for token

Step 1 - Set up an Identity Provider (IdP)¶

You need to set up an Identity Provider (IdP) with your preferred third-party provider, such as Asgardeo, Auth0, or any other provider. Follow the instructions provided by the respective IdP to create an account and configure the necessary settings.

Step 2 - Create a user¶

Create a user within your chosen IdP. This user will be used to authenticate and authorize API requests.

Step 3 - Add the user to the IdP group¶

If your chosen IdP supports groups, add the user to a group within the IdP.

Step 4 - Create an application¶

Create an application within your chosen IdP. This application will represent the APIs that you want to protect with WSO2 API Platform for Kubernetes (WSO2 APK).

Step 5 - Configure the application¶

Configure the application within your chosen IdP. This includes setting the application's settings, such as the application name and endpoints.

Step 5 - Add a new token issuer for the IDP¶

Access the endpoints that correspond to the application, which is available in the idp.

Create two file named idp-system-token-issuer.yaml and idp-org-token-issuer.yaml add the following content to it.

Parameter	Description
`issuer:`	The IdP's issuer URL.
`jwksEndpoint:`	The URL of the IdP's JSON Web Key Set (JWKS) endpoint.
`usernameClaim:`	The claim in the IdP's token that represents the user's username.
`organizationClaim:`	The claim in the IdP's token that represents the user's organization.
`organization:`	The organization of IDP. To invoke system APIs, this should be `apk-system`. To invoke particular organizaiton's APIs, this should be organization claim value.

For System APIs

  apiVersion: dp.wso2.com/v1alpha1
  kind: TokenIssuer
  metadata:
    name: auth0-idp-issuer
  spec:
    claimMappings:
    - localClaim: x-wso2-organization
      remoteClaim: <organizationClaim>
    consumerKeyClaim: azp
    issuer: https://<idp.domain>/
    name: new-service-provider
    organization: apk-system
    scopesClaim: scope
    signatureValidation:
      jwks:
        url: "https://<idp.domain>/.well-known/jwks.json"
    targetRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: default

For Organization APIs

  apiVersion: dp.wso2.com/v1alpha1
  kind: TokenIssuer
  metadata:
    name: auth0-idp-issuer
  spec:
    claimMappings:
    - localClaim: x-wso2-organization
      remoteClaim: orgId
    consumerKeyClaim: azp
    issuer: https://<idp.domain>/
    name: new-service-provider
    organization: default
    scopesClaim: scope
    signatureValidation:
      jwks:
        url: "https://<idp.domain>/.well-known/jwks"
    targetRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: default

Run the following commands to add the token Issuers to APK.

kubectl apply -f idp-system-token-issuer.yaml

kubectl apply -f idp-org-token-issuer.yaml

Optional

If you need to configure the IdP as the primary IdP instead of adding multiple IdPs, execute the following steps as the 6^th step.

## Step 6 - Update the Helm Chart

Follow the instructions outlined in Customize Configurations. These instructions will guide you through the process of acquiring the values.yaml file. Open the values.yaml file.
Update the IDP related configurations in the idp section.
```
idp:
     issuer: ""
     jwksEndpoint: ""      
     usernameClaim: ""
     organizationClaim: ""
```
- organizationClaim - This needs to be configured based on organization claim in jwt.
- Update all other values based on the Endpoint details that you came under the application settings.

The Idp section should include the following parameters:

Parameter	Description
`issuer:`	The IdP's issuer URL.
`jwksEndpoint:`	The URL of the IdP's JSON Web Key Set (JWKS) endpoint.
`usernameClaim:`	The claim in the IdP's token that represents the user's username.
`organizationClaim:`	The claim in the IdP's token that represents the user's organization, if applicable.

Step 7 - Start WSO2 APK¶

Start WSO2 APK using the following command:

FormatExample

helm install <helm-chart-name> .

helm install apk-test .

Step 8 - Generate an Access Token¶

Open Postman and create a new request to generate the auth code token.
Navigate to the Authorization tab of the request.
Make sure that the Token generation call has the same information that was entered in the Helm Chart in Step 6.
- Auth URL
- Access Token URL
- Client ID
- Client Secret
- CallBack Url
- Scopes - (rest API related scopes + openid)
Click Get New Access Token.

This redirects you to the IdP's sign-in page.
Enter the name of the organization that you created in Step 1.
Click Continue.
Enter the user credentials (email and password) of the user that you assigned to the organization.

You will receive two tokens, namely the access token and ID token, when the token call is successful.
Copy the Access token that you see listed as the Access Token.

Step 9 - Invoke the APIs¶

Use the JWT token that you received in the previous step to invoke the System APIs and other APIs.