Enhancing API Security with Auth0 and WSO2 API Manager

Introduction

WSO2 API Manager 4.0.0 allows you to secure and manage APIs efficiently. Integrating a third-party key manager like Auth0 enables external token issuance and centralized authentication for your APIs.

Description

By connecting WSO2 API Manager with Auth0, you can use Auth0-issued oauth to access your APIs, ensuring secure, scalable, and centralized identity management. This blog explains how to configure Auth0 as a key manager, generate tokens, and securely access WSO2 APIs.

Prerequisites

Before we start, ensure you have the following:

WSO2 API Manager 4.0.0 installed locally

• Download from: WSO2 API Manager
• After setup, start the server:

Windows: api-manager.bat

MacOS/Linux: sh api-manager.sh

Auth0 Account

• Sign up at Auth0 if you don’t already have one.

Step 1: Create an Application in Auth0

1. Log in to Auth0 Dashboard → Navigate to Applications → Create Application.
2. Provide:

• Application Name: e.g., WSO2 OAuth
• Application Type: Machine to Machine Application

1. Click Create.

1. Authorize the application to access Auth0 Management API:

• Select Auth0 Management API
• Grant all permissions
• Click Authorize

Your Auth0 application is now ready.

Step 2: Create an API in Auth0

1. In the Auth0 Dashboard, go to APIs → Create API.
2. Provide the details:

• Name: e.g., WSO2 Resource
• Identifier: e.g., https://localhost:9443
• JSON Web Token (JWT) Profile: Auth0
• Signing Algorithm: RS256

1. Navigate to Permissions:

• Scope: default
• Description: default
• Click Add

Your Auth0 API is now created and ready to issue JWT tokens.

Step 3: Configure Auth0 as a Key Manager in WSO2

1. Login to WSO2 Admin Portal (ensure API Manager is running).
2. Navigate to Key Managers → Add Key Manager.
3. Fill in the details:

• Name: Auth0
• Display Name: Auth0
• Key Manager Type: Auth0
• Key-Manager-endpoints:

https://<your-domain>.us.auth0.com/.well-known/openid-configuration        

• Click Import → Fields will auto-populate.
• If any fields remain empty, fill them manually.

4. Grant Type: client_credentials

5. Certificates File (JWKS URL):

https://<your-domain>.us.auth0.com/.well-known/jwks.json        

6. Connector Configurations:

• Client ID & Secret: From the Auth0 Application created in Step 1
• Audience: From the API created in Step 2

7. Click Save.

Auth0 is now successfully configured as a key manager in WSO2.

Step 4: Apply Policy and Generate Access Token

1. Login to WSO2 Developer Portal (https://localhost:9443/devportal).
2. Publish the API to the Developer Portal.
3. Create a New Application:

• Application Name
• Shared Quota (ex:10PerMin,20PerMin,50PerMin,Unlimited)
• Description
• Click Save

4. Subscribe the API to the Application:

• Go to APIs and select which api you need to subscribe
• Go to APIs → Subscriptions
• Select the application you just created
• Click Save

5. Generate Production Keys:

Under Prod Keys, select RESIDENT KEY MANAGER key manager

• Configure the required fields in the Resident Key Manager configuration.
• Click Generate Key.

6. Generate Access Token:

Scroll up → Click CURL To Generate Access Token

Step 5: Test the API

1. Go to the Try Out section of the API in WSO2.
2. Configure the Access Token you generated.

3. Hit the endpoint:

• If valid, you’ll receive 200 OK

• If invalid, you’ll get 401 Unauthorized

Sequence Diagram:

Snippets of this entire process: