Hi Sachini, I would prefer the option 2-b due to the following reasons.
1. We do not need to use the consumer key of the application and IMHO it is better to have a separate entity to identify the API Key separately. 2. An Application is a collection of APIs. Users may group APIs based on their use case and if they do not identify the API key concept, they may group the APIs with APIs which have sensitive data. If we go with option 2-a, one API key can be used for all the APIs. IMHO, it is a risk and it is better to have an API key per API within an application. Thank you! On Fri, Jun 30, 2017 at 9:46 AM, Shiro Kulatilake <[email protected]> wrote: > Hi Sachini, > > What is stopping us from having a separate API Key in Option 1 as well > instead of using the Consumer Key for the application. > > Then, whenever someone wants to use the API-Key option they will get a key > which can be used either for a bunch or specific APIs. > > Thank you, > Shiro > > On Fri, Jun 30, 2017 at 9:42 AM, Harsha Kumara <[email protected]> wrote: > >> Adding correct architecture group. >> >> On Fri, Jun 30, 2017 at 9:22 AM, Sachini De Silva <[email protected]> >> wrote: >> >>> Hi all, >>> >>> Currently, API manager uses oauth2 to authenticate and authorize API >>> requests. This assures security and is good for dealing with apis that >>> handle sensitive data. However APIs with less critical functionalities and >>> can be exposed through API key authentication. Unlike access tokens used in >>> oauth2, API keys do not have an expiry time or a scope associated with >>> them. So basically an API key grants unrestricted asses (in time or scope) >>> to the API. >>> >>> Option 1 >>> >>> At application creation, the developer is given the chance to select >>> which apis he is going to access through Oauth and API key types. Then he >>> can proceed to API key generation where he gets a consumer key, consumer >>> secret and an access token. In Oauth context, all these 3 keys are used. If >>> the application has subscribed to any API through API key type, then the >>> consumer key issued for the application can be used as the API key for >>> those APIs. >>> >>> >>> Figure : Option 1 >>> >>> Option 2 >>> >>> At application creation, the developer is given the chance to select >>> which apis he is going to access through Oauth and APIkey types. Then he >>> can proceed to API key generation where he gets a consumer key, consumer >>> secret and an access token. These will be used in calling APIs with >>> Oauth.Then a one time option is given to generate API keys for other APIs >>> the developer wishes to call through API key. This can either be a seperate >>> API key each per APIs(Option 2-b) or one API key for all APIs. (Option 2-a) >>> >>> >>> Figure : Option >>> 2-a >>> >>> >>> >>> Figure : Option >>> 2-b >>> >>> Appreciate your comments and suggestions. >>> >>> >>> Thank you, >>> >>> Sachini >>> >>> -- >>> >>> *Sachini De Silva* >>> Software Engineer - WSO2 >>> >>> Email : [email protected] >>> Mobile : +94778977970 <+94%2077%20897%207970> >>> >>> >> >> >> -- >> Harsha Kumara >> Software Engineer, WSO2 Inc. >> Mobile: +94775505618 <077%20550%205618> >> Blog:harshcreationz.blogspot.com >> > > > > -- > > > *Shiroshica Kulatilake | Solutions Architecture, WSO2 Inc.+94 776523867 > <+94%2077%20652%203867> * > -- *Pubudu Gunatilaka* Committer and PMC Member - Apache Stratos Software Engineer WSO2, Inc.: http://wso2.com mobile : +94774078049 <%2B94772207163>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
