On Thu, Mar 23, 2017 at 11:36 AM, Roshan Wijesena <[email protected]> wrote:
> Hi Nuwan, > > On Thu, Mar 23, 2017 at 11:12 AM, Nuwan Dias <[email protected]> wrote: > >> If we use the JWT grant instead of the client_credentials grant, we can >> get a token per user without the explicit need of the user having to >> present his credentials. As long as a user has a valid access token to use >> the product APIs, we can use that as the trust and get him a token for >> testing his APIs using the JWT grant. > > > JWT grant will not be supported by all key managers, in that case how we > can generate JWT token? What's wrong with password grant type we can use > that no? > Well, I was thinking on the lines of making the code that gets the token extensible. JWT grant was suggested as the default one we ship with. The case with password grant is that you always need the user's credentials. To access different APIs you may need tokens with different scopes. In which case you need to generate tokens more than once. We cannot expect the user to provide his credentials every time we need to get a token. Besides, if a user logs in using SSO, he never provides the App his credentials. So there is no way to use the password grant in those cases. > > > > -- > Roshan Wijesena. > Senior Software Engineer-WSO2 Inc. > Mobile: *+94719154640 <+94%2071%20915%204640>* > Email: [email protected] > *WSO2, Inc. :** wso2.com <http://wso2.com/>* > lean.enterprise.middleware. > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
