Thursday, June 13, 2013

What happen when token generation and token validation in WSO2 API manager

WSO2 API Manager is a complete solution for publishing APIs, creating and managing a developer community and for scalably routing API traffic. It leverages proven, production-ready, integration, security and governance components from the WSO2 Enterprise Service Bus, WSO2 Identity Server, and WSO2 Governance Registry. In addition, as it is also powered by the WSO2 Business Activity Monitor, the WSO2 API Manager is ready for massively scalable deployment immediately.

Token generation 

Token generation happens through token API. In older versions of API manager use /login for this. Now you can use /authorize or /token to do the same. 
When we generate user access token to access APIs we need to pass consumer key/secret pair and user credential (user-name and password).
As a part of user token generation process we can retrieve user claims associated with user(like email, address and etc). 
We can use this feature to get whatever additional information need. 
We can modify configurations and define claim name we need so we will get those claim values as headers of token generation response message.
Here i have described it in detail manner.
Please note that we are not generating JWT as part of token generation process. If you need to do it as a part of token generation then you need to add additional handler and implement JWT generation logic inside that handler. 


Token validation process while API invocation 

This happens when user calls API with access token(it could be user access token or application access token). 
In this call we will generate JWT as a part of validation process. 
Fields available inside JWT are hard coded at this moment and cannot add new fields by configuration. 
If you need to add new value to JWT then you can use API extension handler to do that. There also we need to write custom code in new handler to add new parameters to JWT.

No comments:

Post a Comment