Different token types and their usages
In this section of this document we have discussed about different token types and their usages in detail. Whenever users create applications to consume APIs they have choice to select application type. Application type can be JWT or OAuth 2.0. Based on the requirements users can select app types.
JWT token retrieval process and use for API invocation
WSO2 API Manager 3.0.0 have the possibility to use JWT Authentication as an alternative to invoke APIs. WSO2 API Manager supports the use of self-contained and signed JWT formatted access tokens as API credentials. When an API is secured using the OAuth2 security scheme, the JWT tokens that are issued for the users from the Developer Portal can be used to invoke APIs.
Figure - Security Flow
You need to first get a JWT token from the WSO2 identity server(or API Manager) by using the token endpoint with the password grant type. You can use the below mentioned curl command to get a JWT token
Here you need to replace the
OAuth 2.0 token retrieval process and use for API invocation
OAuth 2 (Open Authorization) is an open standard for access delegation. It is used for token-based authentication and authorization. This standard is used by many technology providers, such as Google, Facebook, and Twitter. By using OAuth 2, it is possible to grant access to a secured resource (with an access token) for a specific period of time. Once the lifetime of that access token expires, the consumer has to refresh the token to obtain a new token.
By default, WSO2 API Manager’s key manager component is responsible for handling token-related operations. The key manager properly decouples operations to create OAuth applications and validate access tokens in OAuth 2.0 scenario. As a result, we can plug in a third-party authorization server for key validations if needed (e.g. WSO2 Identity Server or any other server which supports standard OAuth 2.0 protocol).
By default, WSO2 API Manager’s key manager component is responsible for handling token-related operations. The key manager properly decouples operations to create OAuth applications and validate access tokens in OAuth 2.0 scenario. As a result, we can plug in a third-party authorization server for key validations if needed (e.g. WSO2 Identity Server or any other server which supports standard OAuth 2.0 protocol).
Figure - API Gateway processing flow
When a request comes to the API Gateway (i.e. when consuming an API), it will be validated with the key manager; access token validation occurs at this stage. The request is allowed to reach the backend endpoint only if the token is a valid token. This ensures that services exposed via APIs can only be consumed by authorized parties.
Figure - Security Flow
From API Manager 3.0.0 onward JWT token will be returned as default token. Before APIM 3.0.0 it was opaque OAuth 2.0 token. In below table we have listed features of both token types and their usages.
No comments:
Post a Comment