Sunday, March 31, 2013

Domain restrictions for API invocations with WSO2 API Manager

WSO2 API Manager provides OAuth2 bearer token as default authentication mechanism. But as the API providers, there can be situations where they need to restrict users from some domains being invoking their APIs and only allow users from the certain set of domains to invoke their APIs. "Domain restriction feature" added to the WSO2 API Manager provides this capability to API providers.

With the "Domain Restriction" feature, an application key will be associated with a set of domains, and requests from only those specified domains will be allowed through the gateway.

How to use domain restriction feature ?
  • Access allowing domain/domains can be defined at the time, when you generate the application key. It can be either one domain or set of domains. If you are defining set of domains, they should provide as comma separated list in the 'Access Allowing Domains' field in the application key generation UI. If the APIs should not restrict for any domains, then no need to define the 'Access Allowing Domains' field.  

  • Once you define the access allowing domains at the token generate time, later you can modify the domain list. 

  • Client request message should contain a http header to inform his domain. Administrator can configure the header name, which is going to use for domain validation through the api-manager.xml (File located at {APIM_HOME}/repository/conf directory). There is a new element called '<ClientDomainHeader>' is added to the '</APIGateway>' section in the api-manager.xml. 
  • If you define as, <ClientDomainHeader>domain</ClientDomainHeader>, then api invocation request should contain a http header called 'domain'. (Sending this header is not mandatory. It's required only if API access is allowed for certain set of domains).
    • eg: curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com" http://localhost:8280/twitter/1.0.0/search.atom?q=cat
  • Value of the domain header send with client request is validated against the set of domains defined by the API subscriber. API access will allow only if client domain matches with these domains. Otherwise client will be send a authentication failure message.


4 comments:

  1. What prevents a client from supplying a false "domain" header?

    ReplyDelete
  2. Yes. We could not control client being sending false domain header. But this feature enhance the security, where user needs to know both "accessToken + allowedDomains".

    ReplyDelete
  3. Hi Dinusha,

    Has there been any progress on provide IP level white-listing for APIs?


    Thanks,
    Saqib

    ReplyDelete
  4. Hi Dinusha,

    Has there been any progress on provide IP level white-listing for APIs?


    Thanks,
    Saqib

    ReplyDelete