Skip to main content

Differentiate generated Access Token & Consumer Key/Consumer Secret in WSO2 APIManager

This blog-post is mainly focus on API subscription process through API-Store  as described in here.
Say there's a hosted WSO2 APIStore instance running in an organization.Once an app developer login to APIStore as an API Subscribe, browse  for available APIs and when he decided to use a set of APIs from his developed external application[eg: mobile/web-based application],he will  add an application to map with his developing app and then he'll subscribe each API to his created application in the APIStore.

When the developer subscribe an API for an application,following three values will be generated on behalf of application.And importantly these three values are generated according to OAuth2 specification.

  • Access Token
The OAuth2 token which can be use to authenticate an API invocation.This token is only for the app developer [unless he shared the tokens with others(eg:3rd party users of his developed mobile app)] to use with API invocations from his developed application.[Note he can use above token only with subscribed APIs against the application through APIStore] 
  • Consumer Key  & Consumer Secret 
The generated consumer key and secret are to use from the client application [developer's app].The usage of these two values is,to authenticate app consumers against underlying consumed APIs from the developed application.For example an application consumer login to the developed mobile app.
Now to continue with app functions [which are exposed through subscribed APIs from the app],the logged app user need to have an access token to use.At this point one option is,app  developer can share his generated application access token with all the app consumers.But this is   not the good approach as it contains some limitations as ,if access token expires,access to the app  will fail among all users,if there's a malicious user as an API consumer,cannot revoke the token only for that user,difficult to differentiate API invocation statistics among API users.Thus best  approach is to keep separate access tokens for each app user.
       
Here the place consumer key and secret are required.These two values are to use with generating user tokens.App developer can hard-coded these two values in his developed app.Then from WSO2 APIManager,we have exposed an REST endpoint to generate such user-tokens with using consumer key/secret as described here. Thus,the app developer  can invoke this endpoint from his developed app and pass consumer key/secret  to the endpoint by adding  the related  implementation to the developed app.

 Hence in summary,only the above generated access token can be directly use to authenticate API invocations,while other consumer key & secret values are to generate such OAuth2 tokens.

Comments

Post a Comment

Popular posts from this blog

Convert an InputStream to XML

For that we can use DocumentBuilder class in java. By using the method parse(InputStream) ; A new DOM Document object will return. InputStream input; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder parser = factory.newDocumentBuilder(); Document dc= parser.parse(input); In the above code segment,by using the created Document object,the corresponding XML file for the inputStream can be accessed. References: http://www.w3schools.com/dom/dom_intro.asp http:// download.oracle.com/javase/1.4.2/docs/api/javax/xml/parsers/DocumentBuilder.html
2 comments
Read more

CORS support from WSO2 API Manager 2.0.0

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources  on a web page to be requested from another domain outside the domain from which the first restricted resource was served. For example, an HTML page of a web application served from http://domain-a.com makes an <img src >  request for a different domain as 'domain-b.com' to get an image via an API request.  For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts as in above example and only allows to make HTTP requests to its own domain. To avoid this limitation modern browsers have been used CORS standard to allow cross domain requests. Modern browsers use CORS in an API container - such as  XMLHttpRequest  or Fetch - to mitigate risks of cross-origin HTTP requests.Thing to  note is it's not only sufficient that the browsers handle client side of cross-origin sharing,but also the servers from which these resources getting need to handl
Post a Comment
Read more

[WSO2 AM] APIStore User Signup as an approval process

In previous versions of WSO2 APIManager before 1.6.0, it was allowed any user who's accessible the running APIStore come and register to the app.But there will be requirement like,without allowing any user to signup by him/her self alone,first get an approve by a privileged user and then allow to complete app registration.Same requirement can be apply to application creation and subscription creation as well.To fulfill that,we have introduced workflow extension support for  WSO2 APIManager  and you can find the introductory post on this feature from my previous blog post on " workflow-extentions-with-wso2-am-160 " . From this blog-post,I'll explain how to achieve simple workflow integration with default shipped resources with  WSO2 APIManager 1.6.0 and WSO2 Business Process Server 3.1.0 with targeting "user-signup" process. Steps First download the WSO2 APIManager 1.6.0[AM] binary pack from product download page . Extract it and navigate to
Post a Comment
Read more