APIM 2.0.0 supports oauth 2.0.0 based security for APIs(with JWT support) out of the box and we can utilize that for secure services. Let me explain how we can use it. Lets consider how mobile client application can use those secured APIs.
- User logs into system(using multi step authentication including OTP etc ). If we are using SAML SSO then we need browser based redirection from native application.
- Then once user authenticated we can use same SAML assertion and obtain OAuth 2.0.0 access token on behalf of logged in user and application(which authenticate both user and client application).
- Then we can use this token for all subsequent calls(service calls).
- Then when requests come to API gateway we will fetch user information from token and send them to back end.
- Also at gateway we can do resource permission validation.
- If we need extended permission validation we can do that as well before request routed to core services.
- So internal service can invoke only if user is authenticated and authorized to invoke that particular API.
This complete flow can be implement using WSO2 API Manager and Identity server.