This documentation is a work in progress and will be released with the WSO2 API Manager 3.0.0 GA release.
Token API - API Manager 3.0.0 - WSO2 Documentation

All docs This doc
||
Skip to end of metadata
Go to start of metadata

Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Manager provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.

The topics below explain how to generate access tokens and authorize them. WSO2 API Manager supports the following authorization grant types:

To validate the tokens generated using a token endpoint, see introspection.

Client credentials grant

Client credentials can be used when the authorization scope is limited to the protected resources belonging to the client. Client credentials are used as an authorization grant when the client requests access to protected resources based on an authorization previously arranged with the authorization server. The client application requests an access token from the authorization server, authenticating the request with its client key and client secret. If the client is successfully authenticated, an access token is returned.

Invoking the Token API to generate the tokens

  1. Get a valid consumer key and consumer secret pair. Initially, you generate these keys through the API Store by clicking Generate Keys on the Production Keys tab of the application.
  2. Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64 (http://base64encode.org).
  3. Use the following sample request command to obtain the access token.

    POST https://localhost:9443/api/auth/oauth2/v1.0/token
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic ZmM3NDY0NTYtZDlmMC00YzdmLWJkMDgtY2MwZjFkNWI1MjBlOmJlOWJhNmM3LWNiNDctNGM5Ni04NDIxLTFmNWJiNWFlOGNmMg==

    Add payload as application/x-www-form-urlencoded data including following parameters.

      grant_type : password

      scope : apim:api_view

    You receive a response similar to the following:

    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 180
    Content-Type: application/json;charset=UTF-8
    
    {
    	"access_token": "gpdd3bpAtNnkPHmb4Ffh0RR8-4v3PsFkDnglnCAmTn8",
    	"refresh_token": "w_6RyWibZ7PAGL-zxf2fChCeck6Zs-udYgJg6JUS0oc",
    	"scope": "scope",
    	"token_type": "Bearer",
    	"expires_in": 3600
    }

Password grant

You can obtain an access token by providing the resource owner's username and password as an authorization grant. It requires the base64 encoded string of the consumer-key:consumer-secret combination. 

Invoking the Token API to generate the tokens

  1. Get a valid consumer key and consumer secret pair. Initially, you generate these keys through the API Store by clicking Generate Keys on the Production Keys tab of the application.
  2. Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64 (http://base64encode.org).
  3. Use the following sample request to access the Token API. It generates two tokens; an access token and a refresh token. You can use the refresh token at the time a token is renewed.

    Tip: <scope> is optional.

    If you define a scope for an API's resource, the API can only be accessed through a token that is issued for the scope of the said resource. For example, if you define a scope named 'update' and issue one token for the scopes 'read' and 'update', the token is allowed to access the resource. However, if you issue the token for the scope named 'read', the request to the API will be blocked.

    POST https://localhost:9443/api/auth/oauth2/v1.0/token
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic ZmM3NDY0NTYtZDlmMC00YzdmLWJkMDgtY2MwZjFkNWI1MjBlOmJlOWJhNmM3LWNiNDctNGM5Ni04NDIxLTFmNWJiNWFlOGNmMg==
    

    Add the payload as application/x-www-form-urlencoded data including following parameters.

      grant_type : password

      scope : apim:api_view

      username: admin

      password: admin

    You receive a response similar to the following:

    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 180
    Content-Type: application/json;charset=UTF-8
    {
    	"access_token": "V0grA8g2DFbeihN7okF0X_xdBwb1Y2fcbRt3oR43UDk",
    	"refresh_token": "vVDfo1uBfDZMZCLVGmkXlV9Np5r5tSK3r-wnVL1SidE",
    	"scope": "scope",
    	"token_type": "Bearer",
    	"expires_in": 3600
    }

Instead of using the Token API, you can also generate access tokens from the API Store's UI. 

Introspection

Introspection allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth Client. This metadata includes whether or not the token is currently active (or if it has expired or otherwise been revoked), what rights of access the token carries (usually conveyed through OAuth 2.0 scopes), and the authorization context in which the token was granted (including who authorized the token and which client it was issued to). Token introspection allows a protected resource to query this information regardless of whether or not it is carried in the token itself, allowing this method to be used along with or independently of structured token values.

Invoking the Token API to validate the tokens

  1. Get a valid consumer key and consumer secret pair. Initially, you generate these keys through the API Store by clicking Generate Keys on the Production Keys tab of the application.
  2. Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64 (http://base64encode.org).
  3. Use the following sample cuRL command to validate the access token.

    POST https://localhost:9443/api/identity/oauth2/introspect/v1.0/introspect
    Accept: application/json
    Authorization: Bearer N2yQ_LjNky8Z2VCVMl8bnztoNlLifKPbr_8-uJHqnDU
    Content-Type: application/x-www-form-urlencoded

    You receive a response similar to the following:

    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 165
    Content-Type: application/json
    
    {
    	"active": true,
    	"username": "admin",
    	"scope": "",
    	"tokenType": "user and application",
    	"client_id": "fc746456-d9f0-4c7f-bd08-cc0f1d5b520e",
    	"exp": 1515133851,
    	"iat": 1515130251
    }
  • No labels