stackoom
  简体   繁体   中英

WSO2 API manager Outh token validations

 原文  2017-03-10 10:02:24       wso2/ wso2is

Question

I have installed the WS02 API manager and secured my backend REST service with oauth2.

Here is my setup

IP1: WSO2 API manger using the default inbuild key manager. I have published my API here.

IP2: Resource server is running here.

I have simple client application which talks to the key manger to get the Access token and creates a successful call to published API in API manger. Here the API manger validates the token before sending the request to my resource server.

I am looking for the following configuration. Is this possible

  1. Application will talk to API manager only for generating the token
  2. Application will make a direct request to Resource server with the token
  3. Resource server needs to validate the token with Auth server.

I do see explanation in WSo2 Identify server where they suggested to use SOAP based mechanism to validate the token. However I am not able to get how we can achieve this.

Can someone please clarify, what changes needs to be done on Resource server and API manager to get the above flow. As I use API manger only for token generation going only to Identity server makes more sense?

1 answers

solution1
 0  2017-03-10 21:43:37

Let me explain the use of API Manager first.

API Manager is used to providing a layer of additional functionality for your APIs such as authorization, throttling and other QoS stuff.

So the basic idea is that you publish you API in WSO2 API Manager and it takes care of the authorization part for your API. So when a client tries to access your API via API Manager, API Manager makes sure only authorized clients are allowed to access the API.

So from your requirements, it seems that you want to do the authorization at the resource server. In that case there is no point using API Manager only for the purpose of token generation.

Instead, you should use WSO2 Identity Server. Your API Client can call the token endpoint of Identity Server to generate the token and send it in the API request. You can find more details about OAuth2 with WSO2 Identity Server here .

Then at the resource you can validate the access token. With IS 5.3.0, there are two ways to validate a token. OAuth2 Introspection Endpoint and a SOAP service. You can find more details here .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question wso2 API Manager custom validations for API request input fields WSo2 API Manager WSO2 API Manager 2.0.0 - LDAP & Publisher API Token Issue wso2 api manager wso2 BAM WSO2 API Manager, is it possible to disable the access-token mechanism Retrieve user access TOKEN from WSO2 Api Manager WSO2 API Manager Client Credentials renew token how to add mediation for get token of WSO2 API Manager? WSO2 api manager - refresh token request format Configuring CORS for WSO2 API Manager JWT Grant token endpoint
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM