WSO2 HOW TO : Using OAuth2 Protected Back-ends With API Manager.

Menaka Jayawardena
4 min readMay 26, 2018


Generally with API Management scenarios, we expose our backend APIs as managed and Secured APIs via API Manager. These backend apis can be secured or unsecured. WSO2 API Manager supports back-ends with Basic and Digest OAuth protocols out of the box.

But, if our back-end is secured with OAuth2, how could we make it possible to integrate them with API Manager?

To begin with, I start publishing a new API. (If you are new to API Manager, here is how to publish an API. You can always follow the official documentation for more information and tutorials.)

The API Design Step

In the next step, let’s provide the back-end url and click Next > Manage.

The API Implement Step.

In the Manage step, select a subscription tier and publish the api.

Now, go to the API Store, subscribe to the new api that we have created and invoke it.

{“fault”:{“code”:900902,”message”:”Missing Credentials”,”description”:”Required OAuth credentials not provided. Make sure your API invocation call has a header: \”Authorization: Bearer ACCESS_TOKEN\””}}

(In my example, I have used a the api manager it self as the backend. So, the error would be like the above. But, based on the backed that you use, the error could be different)

Ok, let’s fix this. Here is how the extensibility of API Manager really shines.

API Manager is equipped with Apache Synapse engine, which is the heart of Message mediation in WSO2 EI/ ESB. We are going to write a mediation sequence which generates an access token for our back-end.

The properties, access_token and generated_time are two registry resources which are used to store the token. Let’s create those registry resources.

  1. Login to API Manager carbon console. https://localhost:9443/carbon.
  2. In the Main tab, click on Browse in the Resources section.
  3. Now create a new collection for our API resources. I name it as pizzaOrderingAPI.
  4. Then create 2 resources with the type, text/plain
Adding Registry Resources

Now, as the final step, let’s add our sequence to the API.

  1. Log in to the API Publisher.
  2. Select our api and click on edit.
  3. Go to the Implement tab, and check ‘Enable Message Mediation’.
  4. Upload the sequence as the In-Flow and republish the api.
Sequence is uploaded for In Flow

Now let’s invoke our api again. In this time, we can see that the sequence is now calling the token endpoint to get the token and we receive a proper response.

curl -X GET — header ‘Accept: application/json’ — header ‘Authorization: Bearer 388d26d7–0571–35a6-ba97–8315cad6e9a3’ ‘' -k[2018–05–26 23:34:22,955] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “GET /pizza/1.0/menu HTTP/1.1[\r][\n]”
[2018–05–26 23:34:22,956] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “Authorization: Bearer 388d26d7–0571–35a6-ba97–8315cad6e9a3[\r][\n]”
[2018–05–26 23:41:04,136] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “POST /token HTTP/1.1[\r][\n]”
[2018–05–26 23:41:04,138] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “Content-Type: application/x-www-form-urlencoded; charset=UTF-8[\r][\n]”
[2018–05–26 23:41:04,138] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “Authorization: Basic eDU1YVdaWV9iVUJtTXY4U3IzOXJMbWdTSmZBYTpOcGNKdUdFM1JQcldlY3NQQ0wwQ2htd2xucmNh[\r][\n]”
[2018–05–26 23:41:04,140] DEBUG — wire HTTPS-Listener I/O dispatcher-1 >> “grant_type=client_credentials[\r][\n]”
[2018–05–26 23:41:04,199] DEBUG — wire HTTPS-Sender I/O dispatcher-1 >> “HTTP/1.1 200 OK[\r][\n]”
[2018–05–26 23:41:04,200] DEBUG — wire HTTPS-Sender I/O dispatcher-1 >> “{“access_token”:”c1900c8c-10f4–3cb8–9c89–077ec35bff49",”scope”:”am_application_scope default”,”token_type”:”Bearer”,”expires_in”:567}”
[2018–05–26 23:41:04,215] DEBUG — wire HTTPS-Sender I/O dispatcher-2 << “GET /pizzashack/1.0.0/menu HTTP/1.1[\r][\n]”
[2018–05–26 23:41:04,215] DEBUG — wire HTTPS-Sender I/O dispatcher-2 << “Authorization: Bearer c1900c8c-10f4–3cb8–9c89–077ec35bff49[\r][\n]”
[2018–05–26 23:41:04,224] DEBUG — wire HTTPS-Sender I/O dispatcher-1 >> “HTTP/1.1 200 OK[\r][\n]”
[2018–05–26 23:41:04,224] DEBUG — wire HTTPS-Sender I/O dispatcher-1 >> “[{“name”:”BBQ Chicken Bacon”,”description”:”Grilled white chicken, hickory-smoked bacon and fresh sliced onions in barbeque sauce”,”price”:”14.99",”icon”:”/images/6.png”},{“name”:”Chicken Parmesan”,”description”:”Grilled chicken, fresh tomatoes, feta and mozzarella cheese”,”price”:”20.99",”icon”:”/images/1.png”},{“name”:”Chilly Chicken Cordon Bleu”,”description”:”Spinash Alfredo sauce topped with grilled chicken, ham, onions and mozzarella”,”price”:”27.99",”icon”:”/images/10.png”},{“name”:”Double Bacon 6Cheese”,”description”:”Hickory-smoked bacon, Julienne cut Canadian bacon, Parmesan, mozzarella, Romano, Asiago and and Fontina cheese”,”price”:”16.99",”icon”:”/images/9.png”},{“name”:”Garden Fresh”,”description”:”Slices onions and green peppers, gourmet mushrooms, black olives and ripe Roma tomatoes”,”price”:”11.99",”icon”:”/images/3.png”},{“name”:”Grilled Chicken Club”,”description”:”Grilled white chicken, hickory-smoked bacon and fresh sliced onions topped with Roma tomatoes”,”price”:”11.99",”icon”:”/images/8.png”},{“name”:”Hawaiian BBQ Chicken”,”description”:”Grilled white chicken, hickory-smoked bacon, barbeque sauce topped with sweet pine-apple”,”price”:”22.99",”icon”:”/images/7.png”},{“name”:”Spicy Italian”,”description”:”Pepperoni and a double portion of spicy Italian sausage”,”price”:”9.99",”icon”:”/images/2.png”},{“name”:”Spinach Alfredo”,”description”:”Rich and creamy blend of spinach and garlic Parmesan with Alfredo sauce”,”price”:”9.99",”icon”:”/images/5.png”},{“name”:”Tuscan Six Cheese”,”description”:”Six cheese blend of mozzarella, Parmesan, Romano, Asiago and Fontina”,”price”:”18.99",”icon”:”/images/4.png”}][\r][\n]”

If you are using WSO2 API Cloud…

You can use the above sequence and configurations as it is in API Cloud as well. But, if you use regional gateways, you have to do some modifications.

The governance and config registry databases are configured as read only in regional gateways. So we would not be able to create the necessary registry artifacts.
In this scenario, we will be using the local registry instead of the governance registry. For this we only have to modify the following property mediator configurations in the above sequence.

(Note the the governance registry has been changed to local registry)

Sequence modifications for Regional gateways.

Hope you enjoy…!!!




Menaka Jayawardena