This documentation is for WSO2 API Manager 1.5.0 View documentation for the latest release.
Page Comparison - Token APIs (v.44 vs v.48) - API Manager 1.5.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can use the Token API to invoke an API through a third-party application like a mobile app. The Token API comes bundled with the API Manager by default. It requires the base64 encoded string of the comsumerconsumer-key:consumer-secret combination. 

...

  1. Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64. Encoding to base64 can be done using the URL: http://base64encode.org.
    Here's an example consumer key and secret combination : wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
  2. Access the Token API by using a REST client such as the WSO2 REST Client or Curl, with the following parameters.
    • Assuming that both the client and the API Gateway are run on the same server, the token API url is https://localhost:8243/token
    • payload - "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION". Replace the <username> and <password> values as appropriate.
    • headers - Authorization: Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace the <base64 encoded string> as appropriate.          

    For example, use the following cURL command to access the Token API. It generates two tokens as an access token and a refresh token. You can use the refresh token at the time a token is renewed .

    Code Block
    curl -k -d "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh," -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
    Note

    The Token API endpoint is specified in the <APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file (note that _LoginAPI_.xml is the deprecated API).

    When running the server with ports different to the default (i.e., 9443), you must update the endpoints defined inside the default APIs accordingly (_TokenAPI_.xml, _LoginAPI_.xml etc.). See Changing the Default Ports with Offset.

    Info
    iconfalse

    User access tokens have a fixed expiration time, which is set to 60 minutes by default. Before deploying the API manager to users, extend the default expiration time by editing the <AccessTokenDefaultValidityPeriod> tag in <PRODUCT_HOME>/repository/conf/identity.xml.

    When a user access token expires, the user can try regenerating the token as explained in the Renew user tokens section.

...

Code Block
curl -k -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh," -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

The REST message will grant the user a renewed user token.

...

...

NOTE: When a user token expires, the user cannot be authorized and the getConsumerSecret method of SignatureVerificationHandler throws a 401 user authentication/signature verification failure as "Failed to authenticate user, no consumerSecret found."

This error can be caused by other reasons too. You can determine the exact reason by putting some logs in the code to see whether the user is authorized, and the applicationName, subscriberName, tokenType, apiContext, accessToken and apiVersion are accurate.

Revoking access tokens

After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling Revoke API using a utility like cURL. The Revoke API's endpoint URL is http://localhost:8280/revoke.

...

  1. Combine the consumer key and consumer secret keys as consumer-key:consumer-secret and encode the combined string using base64 using http://base64encode.org. Here's an example consumer key and secret combination: wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
  2. Access the Token API using a REST client such as the WSO2 REST Client or Curl. The parameters are explained below:

    • Assuming that both the client and the API Gateway run on the same server, the Token API URL is https://localhost:8243/token.
    • payload - "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML2_Encoded_Assertion_Token> &scope=PRODUCTION". Replace the <SAML2_Encoded_Assertion_Token> value as appropriate.
    • headers - Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace the <base64 encoded string> as appropriate.

    For example, use the following cURL command used to access the Token API generates an access token and a refresh token. You can use the refresh token at the time a token is renewed.

    Code Block
    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML2_Encoded Assertion>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh," -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
    Warning

    The Token API endpoint is specified in <APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file. When running the server with ports different to the default (i.e., 9443), you must update the endpoints defined inside the _TokenAPI_.xml file accordingly. See Changing the Default Ports with Offset.