Capabilities exercised
The demo is shaped to exercise as much of each WSO2 product as possible without contrived scenarios.
WSO2 Identity Server
| Capability | How the demo exercises it |
|---|---|
| OIDC Auth Code + PKCE | labops-web SPA login |
| OIDC client_credentials | labops-cli for partner M2M |
| OIDC refresh tokens | SPA token renewal |
| Scopes | tickets:read, tickets:write, tickets:admin, assets:admin |
| Roles & groups | UI varies by role; admin scope checks role |
| Self-registration | Open sign-up flow on the login screen |
| Federated login | "Sign in with Google" |
| MFA (TOTP) | Required when accessing admin scope |
| Adaptive auth | Script-based: only enforce MFA when admin scope is requested |
| SCIM 2.0 | "My Profile" page in SPA reads/updates via /scim2/Me |
| IS as APIM Key Manager | Bearer tokens issued by IS validate at APIM gateway |
WSO2 API Manager
| Capability | How the demo exercises it |
|---|---|
| Multi-API publishing | tickets-api, assets-api, plus a public read API |
| API versioning | v1 and v2 of tickets-api published side-by-side |
| OAuth2 + scopes | Each operation gates on a scope |
| API Key | One public read endpoint uses API Key only |
| Throttling tiers | Bronze / Silver / Gold subscription tiers, plus partner tier |
| Mediation policies | assets-api adds a correlation ID header, transforms response |
| Response caching | tickets-api GET cached for 60s |
| Backend authentication | Gateway → backend uses Basic auth |
| DevPortal subscriptions | Self-service: app → tier → key |
| Analytics | All of the above land on the ELK dashboards |
WSO2 Micro Integrator
| Capability | How the demo exercises it |
|---|---|
| Scheduled tasks | gitlab-sync polls GitLab issues hourly into the tickets DB |
| Connectors | GitLab connector (issues), DB connector (Postgres write) |
| Transformation | GitLab issue → tickets schema (JSONPath + payload factory) |
| Webhook fan-out | notifications integration fans out ticket events to multiple sinks |
| Retry + DLQ | notifications uses message store with retry policy and DLQ |
| HTTP API | MI exposes /api/notifications/subscribe for webhook registration |
Out of scope
Choreo, Asgardeo, GraphQL, SOAP, monetization, BPMN workflows, AI gateway, multi-Key-Manager federation, and B2B/multi-tenancy in IS — left out because they'd need contrived scenarios.