Tuesday, November 27, 2012

Generate Application Tokens & User Tokens from WSO2 API Manager

WSO2 API Manager provides a complete solution for publishing APIs,creating and managing a developer community and a scalable routing API trafic.If you are already familiar with this product,you are familiar with its one of basic component -'API Store'.

A deployed API Store provides a single place to all third party and internal API consumers to browse available APIs and subscribe to them as they want.If such a consumer follow the subscription process of this store-front UI,he'll notice it's a process of subscribing a selected set of APIs into a application and  giving a result with generated three keys as access token,consumer key and consumer secret adhreing to OAuth 2.0 spec.
In other words,it's the process of an Application developer [Say John a mobile app developer] select the APIs which needed to use from his application and subscribe to those APIs from his created application.As the result of this subscription process the application developer,John is getting an application access token,that can be used to invoke the subscribed APIs while developing the application and other two values called Consumer Key and Consumer Secret which are useful when the application users [third-party users who will use John's mobile application ] trying with his developed mobile app.




Now I know,you will have an important question with the above information given by me.It's that though Store-front is helpful to app developers  to find,select and subscribe to suitable and available APIs for developing applications,how the developers can handle authentication of application users to his developed app with the aid of WSO2 API Manager solution.The answer is from WSO2 API Manager we are exposing a separate endpoint,to achieve this requirement called 'Login API'. 



This has deployed as a separate pre-defined API from API Manager and from this API,it's calling an OAuth endpoint to generate access tokens.The source view of 'Login API' is as below.You can browse it from API Manager,by browsing carbon console ->Manage->Service Bus->APIs .



The developed app has to implement in a way,first the app has to store the consumer key and secret generated for the app from store front.Then once a app-user trying login to it,a request will send to above exposing login API endpoint with username/password and consumer key/secret values.Then from the login API,it'll send back a user access token ,a refresh token and an expirary time for the tokens for each success request. By using the returned user access token after a key validation,app user can use it to authenticate to functions of the app.

Below steps will explain how to send a Curl request to above 'Login API'.App developer can implement sending this request and getting the response as a part of his app implementation.
  1. First get the relevant generated Consumer Key and Secret for the app from API Store and combine those two values as "consumerKey:consumerSecret".
  2. Then encode that combined value as base64 encoded value,For that you can use online encoder bae64encode.org .
  3. Then set that encoded value as the Authorization header for the request.The authorization header type for this request is 'Basic'.
  4. And pass username/password values as query strings.
  5. The complete sample Curl request is as below.
curl -k -d "grant_type=password&username=xxxx&password=xxxxx&scope=PRODUCTION" -H "Content-Type:application/x-www-form-urlencoded" -H "Authorization:Basic Base64EncodedValue(ConsumerKey:ConsumerSecret)" https://localhost:8243/login

Above Curl request will return with a user access token,refresh token and an expiration time for tokens.

3 comments:

  1. Hello Lalaji,

    I follow your post for my Api Manager 1.0.0 and I recibe a 403 error code "No matching resource found in the API for the given request".
    But I try the same in Api Manager 1.3.1 and worked fine.

    Any idea?

    Thanks in advance.

    ReplyDelete
  2. Hi Valentin,

    Did you get this 403 error,when invoking a separate API by using above generated user token or the above mentioned login API?

    ReplyDelete
  3. Great post, thank you. API Key Generation & Access Control.
    Out-of-the-box API key management and provisioning for secured API Access Control with 3scale.
    http://www.3scale.net/api-key-generation-access-control-lp/

    ReplyDelete