Different Token Types and their Usages - WSO2 API Manage

Different token types and their usages

In this section of this document we have discussed about different token types and their usages in detail. Whenever users create applications to consume APIs they have choice to select application type. Application type can be JWT or OAuth 2.0. Based on the requirements users can select app types.

JWT token retrieval process and use for API invocation

WSO2 API Manager 3.0.0 have the possibility to use JWT Authentication as an alternative to invoke APIs. WSO2 API Manager supports the use of self-contained and signed JWT formatted access tokens as API credentials. When an API is secured using the OAuth2 security scheme, the JWT tokens that are issued for the users from the Developer Portal can be used to invoke APIs.

Figure - Security Flow

You need to first get a JWT token from the WSO2 identity server(or API Manager) by using the token endpoint with the password grant type. You can use the below mentioned curl command to get a JWT token

Curl -u : -k -d “grant_type=password&username=testuser&password=testuser” -H “Content-Type:application/x-www-form-urlencoded” https://localhost:8243/token

Here you need to replace the : with the relevant values of the service provider which is configured at WSO2 Identity Server. This will return the JWT token with a response similar to below.

{“access_token”:”eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJqb2huZG9lQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJpcGtXTnlGMWZYdTRNYlNoRTZ2YUpHTkdrRElhIl0sImF6cCI6Imlwa1dOeUYxZlh1NE1iU2hFNnZhSkdOR2tESWEiLCJpc3MiOiJhcGltLWlkcCIsImV4cCI6MTUyODM2ODEwMCwiaWF0IjoxNTI4MzY0NTAwLCJqdGkiOiIxOTQxYmY5YS1jMTJkLTQ3NjYtOTMzMi02ZTg1YTNlNzI2MTIifQ.MiAZkGcOrog6KKYs5V1zED_ojQVs0vxZyFjPVjk29CPATaAEgpmH2Rq56kHJqhE3uQk4oSgMDJzp-Zk2CNPIRJYzy8pJaeP-gEE54NvRfDe1WHZJl72AAtEz9wEIQiKxkI4ZFdMlsnqmIdv8c0_lEfU4BXpH8Uho_Vatsvklv54WLEbSvHzf3M-0dioRnBDEf7xsImkcTGEsbulcKMNw9DOQFxlGLUv7r-qJIh9NUNlf0V7vXE9lVPaBSS8YDGKsjOV-PqnMAtmF6uL4eN36vcqMT5QP0C0s3pFJdz_YxEoN8xnrEn8_UNiJlZ-IxWooRFqQxFJri7fd4hlveoAKIQ”,”refresh_token”:”f723c75a-dd06–3b5e-99a6-b5291f3cab28",”token_type”:”Bearer”,”expires_in”:3600}

OAuth 2.0 token retrieval process and use for API invocation

OAuth 2 (Open Authorization) is an open standard for access delegation. It is used for token-based authentication and authorization. This standard is used by many technology providers, such as Google, Facebook, and Twitter. By using OAuth 2, it is possible to grant access to a secured resource (with an access token) for a specific period of time. Once the lifetime of that access token expires, the consumer has to refresh the token to obtain a new token.

By default, WSO2 API Manager’s key manager component is responsible for handling token-related operations. The key manager properly decouples operations to create OAuth applications and validate access tokens in OAuth 2.0 scenario. As a result, we can plug in a third-party authorization server for key validations if needed (e.g. WSO2 Identity Server or any other server which supports standard OAuth 2.0 protocol).

Figure - API Gateway processing flow

When a request comes to the API Gateway (i.e. when consuming an API), it will be validated with the key manager; access token validation occurs at this stage. The request is allowed to reach the backend endpoint only if the token is a valid token. This ensures that services exposed via APIs can only be consumed by authorized parties.

Figure - Security Flow

From API Manager 3.0.0 onward JWT token will be returned as default token. Before APIM 3.0.0 it was opaque OAuth 2.0 token. In below table we have listed features of both token types and their usages.

	JWT	OAuth 2.0
Token revocation	Can do. Need ETCD(only for micro gateway) and JMS topic subscription to notify revoke tokens to gateway.	No need as token validation always happen against key manager when cache missed
Certificate Management	Need to have the same pair of keys as public/private cryptography used to validate signature	No need as token validation happens via service call.
Performance	Signature verification takes some time, no service calls or external communication	Depend on key validation flow, network delays and key manager side speed of processing
External Dependency	To validate JWT token API gateway do not need to communicate with key manager. JWT can be validated within gateway.	API Gateway need to communicate with key manager and validate access token.
Client Implementation	JWT and OAuth 2.0 access token generation and management almost same.	JWT and OAuth 2.0 access token generation and management almost same.
Scaling	When JWT token used API gateway do not have a dependency with external component such as key manager. Hence gateway can scale alone.	Gateway have dependency with key manager and scaling gateway need to scale key manager as well.