Hi Sachini, What is stopping us from having a separate API Key in Option 1 as well instead of using the Consumer Key for the application.
Then, whenever someone wants to use the API-Key option they will get a key which can be used either for a bunch or specific APIs. Thank you, Shiro On Fri, Jun 30, 2017 at 9:42 AM, Harsha Kumara <[email protected]> wrote: > Adding correct architecture group. > > On Fri, Jun 30, 2017 at 9:22 AM, Sachini De Silva <[email protected]> > wrote: > >> Hi all, >> >> Currently, API manager uses oauth2 to authenticate and authorize API >> requests. This assures security and is good for dealing with apis that >> handle sensitive data. However APIs with less critical functionalities and >> can be exposed through API key authentication. Unlike access tokens used in >> oauth2, API keys do not have an expiry time or a scope associated with >> them. So basically an API key grants unrestricted asses (in time or scope) >> to the API. >> >> Option 1 >> >> At application creation, the developer is given the chance to select >> which apis he is going to access through Oauth and API key types. Then he >> can proceed to API key generation where he gets a consumer key, consumer >> secret and an access token. In Oauth context, all these 3 keys are used. If >> the application has subscribed to any API through API key type, then the >> consumer key issued for the application can be used as the API key for >> those APIs. >> >> >> Figure : Option 1 >> >> Option 2 >> >> At application creation, the developer is given the chance to select >> which apis he is going to access through Oauth and APIkey types. Then he >> can proceed to API key generation where he gets a consumer key, consumer >> secret and an access token. These will be used in calling APIs with >> Oauth.Then a one time option is given to generate API keys for other APIs >> the developer wishes to call through API key. This can either be a seperate >> API key each per APIs(Option 2-b) or one API key for all APIs. (Option 2-a) >> >> >> Figure : Option 2-a >> >> >> >> Figure : Option >> 2-b >> >> Appreciate your comments and suggestions. >> >> >> Thank you, >> >> Sachini >> >> -- >> >> *Sachini De Silva* >> Software Engineer - WSO2 >> >> Email : [email protected] >> Mobile : +94778977970 <+94%2077%20897%207970> >> >> > > > -- > Harsha Kumara > Software Engineer, WSO2 Inc. > Mobile: +94775505618 <077%20550%205618> > Blog:harshcreationz.blogspot.com > -- *Shiroshica Kulatilake | Solutions Architecture, WSO2 Inc.+94 776523867 *
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
