Open in app

Sign in

Write

Sign in

Image by macrovector on Freepik

B2B App Native Authentication Flow with WSO2 Identity Server 7

Hasini Samarathunga

--

Introduction

If you have tried the API-Based App Native Authentication flow in WSO2 Identity Server 7, you might wonder how it aligns with B2B Customer Identity and Access Management (CIAM) feature.

In this guide, we’ll walk through setting up the WSO2 Identity Server for the API based authentication tailored to B2B applications. By the end, you’ll have a better understanding of how to enable native app access for users within each sub-organization.

Whether you’re new to WSO2 IS or looking to deepen your understanding, this step-by-step guide will help you implement a App Native Authentication flow tailored for a B2B context.

Redirection vs. API-Based Authentication in B2B

First, let’s clarify the difference between the traditional redirection flow and the API-based native flow.

B2B Redirection Flow Diagram

In the redirection flow, users from sub-organizations leverage Single Sign-On (SSO) to access their organization’s resources through OAuth. This workflow involves redirection to authorization endpoints, acquiring authorization codes, exchanging tokens, and securely managing delegated user access.

This is the flow shown through the B2B Use Case mentioned in the official WSO2 B2B documentation.

B2B API-based Authentication Flow Diagram

The API-based native flow is tailored for mobile apps and native clients. Here, the client app makes each API call manually — shown by numbered steps in the diagram below. Dashed lines represent calls managed within the Identity Server.

Setting Up the API-Based Authentication Flow

Now, let’s configure WSO2 IS for a smooth B2B API-based native authentication flow.

Prerequisites

Setting Up WSO2 Identity Server

  1. Obtain the latest build of WSO2 Identity Server from the official GitHub repository: https://github.com/wso2/product-is.

Note: Alternatively, you can use Identity Server 7 with the latest updates available from WSO2 Subscription.

Configuration Steps

Step 1: Configure a New Application

  1. Go to the WSO2 Identity Server management console, create a new application and share the application with sub-organizations.

2. Enable App Native Authentication for the application.

3. Configure the application as a public client under the protocol tab. (Make sure you select the following grant types)

Grant types
Select as public client

Note: Public clients are often discouraged due to their lower security compared to confidential clients. Public clients for API-based authentication require additional security measures, such as client attestation. WSO2 Identity Server supports public clients as an option, but careful consideration should be given based on the application’s security needs.

Step 2: Create a Sub-Organization and User

  1. Create a new organization within WSO2 Identity Server.

2. Switch to this organization and add a user in the sub-organization.

Step 3: Configure B2B App-Native Authentication

With this setup, the user in the sub-organization can now authenticate through the federated authentication flow, similar to what is detailed in the WSO2 documentation on Federated Authentication.

These are the 5 API calls according to the diagram of the B2B App-Native Authentication.

1. Initiate Authorization for Root Organization

Applications initiate app-native authentication using an OAuth 2.0 authorization code request with the below specific parameters:

  • response_mode: Set to "direct"
  • fidp: Set to "OrganizationSSO"
  • orgId: Replace {{organizationId}} with the actual ID of the sub-organization.

Example cURL:

curl --location 'https://localhost:9443/oauth2/authorize' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={{clientId}}' \
--data-urlencode 'response_type=code' \
--data-urlencode 'redirect_uri={{callbackURL}}' \
--data-urlencode 'state=logpg' \
--data-urlencode 'scope=openid internal_login' \
--data-urlencode 'response_mode=direct' \
--data-urlencode 'fidp=OrganizationSSO' \
--data-urlencode 'orgId={{organizationId}}'

Example Response:

2. Initiate Authorization for Sub-Organization

Use the redirect URL generated in the first request to initiate the authorization process for the sub organization. This URL allows the sub-organization’s users to access the application.

Example cURL:

curl --location '{{redirectUrlForSubOrgAuthz}}' \
--header 'Accept: application/json'

Example Response:

3. Authenticate with Sub-Organization Credentials

With the flowId from request 2, make a request to the /o/{{organizationId}}/oauth2/authn endpoint with the username and password of the sub-organization user.

Example cURL:

curl --location 'https://localhost:9443/o/{{organizationId}}/oauth2/authn' \
--header 'Content-Type: application/json' \
--data-raw '{
    "flowId": "{{req-flowId-for-org}}",
    "selectedAuthenticator": {
        "authenticatorId": "QmFzaWNBdXRoZW50aWNhdG9yOkxPQ0FM",
        "params": {
            "username": "{{username}}",
            "password":"{{password}}"
        }
    }
}'

Example Response:

4. Authenticate Using Auth Data Code and State to the Root Organization

Using the flowId from request 1, authData code, and authData state from request 3, authenticate with the sub-organization by calling the /authn endpoint.

Example cURL:

curl --location 'https://localhost:9443/oauth2/authn' \
--header 'Content-Type: application/json' \
--data '{
    "flowId": "{{req-flowId}}",
    "selectedAuthenticator": {
        "authenticatorId": "T3JnYW5pemF0aW9uQXV0aGVudGljYXRvcjpTU08",
        "params": {
            "code": "{{authData_code}}",
            "state":"{{authData_state}}"
        }
    }
}'

Example Response:

5. Retrieve the Access Token

Finally, use the authorization code received in Step 4 to call the /token endpoint and retrieve the access token for the authenticated user.

Example cURL:

curl --location 'https://localhost:9443/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic NkdaZVRnbVhGOWhFRVBnWGptTF96U1JyVnAwYTppcWtUVTVJU1hGdFVrb1NSUHVpeU5aelNoRjFFUGl0TUM3c0tvWFZiZjFBYQ==' \
--data-urlencode 'code={{authz_code}}' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri={{callbackURL}}'

Example Response:

Once you have retrieved the access token in the final step, this token can be used to access protected resources and APIs within your application on behalf of the authenticated user. The token should be included in the Authorization header (formatted as Bearer <access_token>) for each subsequent API request. Ensure that the token is securely stored on the client side, and implement a secure process for refreshing or revalidating it when it expires.

With the token in hand, your application is now ready to facilitate seamless and secure access to resources across B2B sub-organizations!

Conclusion

By following the above steps, you’ve successfully set up a B2B API-based app-native authentication flow with WSO2 Identity Server 7. This can be used to enable secure and user-friendly login experiences for mobile and native clients in each sub-organization.

--

--

Hasini Samarathunga
Hasini Samarathunga

Written by Hasini Samarathunga

135 Followers
74 Following

Software Engineer at WSO2

No responses yet