Pass a Custom Authorization Token to the Backend¶
This tutorial uses the WSO2 API Manager Tooling Plug-in .
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message. If you wish to use a different (or a custom generated) authorization token than the application generated access token, you can use it as a token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization token that is different to the authorization token generated for the application.
In this tutorial , you have a sample JAX-RS backend and it always expects 1234 as the authorization token. In your API request, you pass the token that is generated in the
Authorization header, and 1234 in a
Custom header. The mediation extension you write extracts the value of the
Custom header, and sets it as the
Authorization header before sending it to the backend.
Here's a summary:
Client (headers: Authorization, custom) -> Gateway (drop: Authorization, convert: custom->Authorization) -> Backend
Let's get started.
Download and install the WSO2 API Manager Tooling Plug-in if you have not done so already. Open Eclipse by double clicking the
Eclipse.appfile inside the downloaded folder.
Click Window > Open Perspective > Other to open the Eclipse perspective selection window. Alternatively, click the Open Perspective icon shown below at the top right corner.
- On the APIM perspective, click the Login icon as shown below.
- On the dialog box that appears, enter the URL, username and password (by default
admin) of the Publisher server.
- On the tree view that appears, expand the folder structure of the existing API.
- Right-click on the
insequence folder and click Create to create a new
Your sequence now appears on the APIM perspective. From under the Mediators section, drag and drop a Property mediator to your sequence and give the following values to the mediator.
The following property mediator is used to assign the Custom transport level property to another property called Custom.
Property Name New Property New Property Name Custom Value Type EXPRESSION Value Expression get-property('transport', 'Custom')
Similarly, add another Property mediator to your sequence and give the following values to the mediator. This property mediator is used to construct a transport level property called Authorization and assign itself the value of the Custom property created above.
Property Name New Property New Property Name Authorization Value Type EXPRESSION Value Expression get-property('Custom') Property Scope transport
Add a third Property mediator to your sequence and give the following values to the mediator. This property mediator is used to remove the Custom property from the transport level.
Property Name New Property New Property Name Custom Property Action remove Property Scope transport
Save the sequence.
Right-click on the sequence and click Commit File to push the changes to the Publisher server.
Let's create a new API and engage the sequence you created to it.
Log in to the API Publisher, Create a new REST API with the information given in the table below.
Field Sample value Name TestCustomHeader Context /testcustomheader Version 1.0.0 Business Plan Gold
Go to the Resources tab, and note wildcard resource (/*) has already been added.
The Endpoints tab. give the information in the table below to add producti0on and sandbox endpoints.
Field Sample value Endpoint type HTTP/REST endpoint Production endpoint
Navigate to the Runtime Configurations tab, enable the
Message Mediationin Request flow. Engage the
Insequence that you created earlier and click Save .
In Flow, Out Flow and Fault Flow represent the custom In, Out and Fault sequences attached to the API by the user other than the default sequence definition of the API.
Go to Lifecycle tab, click Publish to publish the API.
Let's subscribe to the API and invoke it.
Log in to the API Developer Portal (https://localhost:9443/devportal) and subscribe to the API using an available application and the Gold tier. Or you may create a new application and subscribe to the api.
Go to the Credentials tab and click on
Click Generate Keys to create an application access token.
Install any REST client in your machine. We use cURL here.
Go to the command line, and invoke the API using the following cURL command. In this command, you pass the token that the backend expects, i.e., 1234, in the
Customheader with the authorization token that the system generates in the
curl -H "Authorization: Bearer <access token>" -H "Custom: Bearer 1234" <API URL>
Note the following:
- <access token> is the token that you got in step 20.
- <API URL> appears on the API's Overview page in the API Store. Copy the HTTP endpoint. If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
Here's an example:
curl -k -H "Authorization: Bearer 2e25097b2b3fbbfb44f5642fa8a495a1" -H "Custom: Bearer 1234" https://localhost:8243/test/1.0.0
In this tutorial, you passed a custom token that the backend expects along with the system-generated Authorization token, and invoked an API successfully by swapping the system's token with your custom token.Top