Hi Isuru, As per the current plan, we will be supporting API Key and Basic Auth in addition to OAuth2. But in either case, we won't be needing a generate key API. Even if we introduce some other authentication scheme that will require a key generation, we could use the same API maybe with some parameter to identify the key type.
@Nuwan, On Fri, Jul 7, 2017 at 3:18 AM, Nuwan Bandara <[email protected]> wrote: > > > I know right now we generate a access token for an application, I assume > > POST /applications/{applicationId}/generate-tokens > > is for that ? > Yes. > do we have to do that ? Usually we should encourage anyone to get their > access token to access the API, even for testing purposes. > Yes, for API testing developers can generate keys with any grant type seperately. But this API is basically there for a better user experience. Since we have API console (swagger-ui) embedded, the developer can qiuckly try APIs with the generates token without generating one seperately. That makes the user experience smooth. > > Worst case if someone needs they can use the API Key for this (once we > have it) and is allowed by the API ? > Yes, but that's only *if* publisher has allowed that, which may not be a very common case. Thanks, Bhathiya > > Regards, > /Nuwan > > On Thu, Jul 6, 2017 at 2:57 PM, Chintana Wilamuna <[email protected]> > wrote: > >> This API is about controlling application and associated token types >> right? Different token types are then generated at API subscription time by >> consumers with a specific grant type correct? >> >> Isuru, IMO it's sort of implied. >> >> -Chintana >> >> On Thu, Jul 6, 2017 at 10:33 AM, Nuwan Bandara <[email protected]> wrote: >> >>> Guys, also this is not directly related to the API design and as Isuru >>> said we will have to think about different token types. At present many >>> users ask for JWT tokens as oppose random string tokens. So should we think >>> about the type too ? >>> >>> On Fri, Jun 30, 2017 at 12:35 AM, Isuru Haththotuwa <[email protected]> >>> wrote: >>> >>>> Just a thought; since we are going to support Key types other than >>>> OAuth for API invocation, should we consider renaming the rest resources to >>>> indicate that this is about generating OAuth keys/tokens? >>>> >>>> On Wed, Jun 28, 2017 at 1:37 PM, Bhathiya Jayasekara <[email protected] >>>> > wrote: >>>> >>>>> Hi all, >>>>> >>>>> As discussed in [1], I split generate keys operation into 2, and added >>>>> "provide-keys" operation for semi-manual client registration. Here is the >>>>> final list with sample requests and responses. >>>>> >>>>> >>>>> POST /applications/{applicationId}/generate-keys >>>>> >>>>> { >>>>> "keyType": "PRODUCTION", >>>>> "grantTypesToBeSupported": [ >>>>> "client-credentials", "password" >>>>> ], >>>>> "callbackUrl": "http://localhost/callback"} >>>>> >>>>> >>>>> Response >>>>> >>>>> { >>>>> "consumerKey": "xxxxxxxxxxxxxxxxxx", >>>>> "consumerSecret": "yyyyyyyyyyyyyyyyyyy", >>>>> "supportedGrantTypes": [ >>>>> "client-credentials", "password" >>>>> ], >>>>> "callbackUrl": "http://localhost/callback";, >>>>> "keyType": "PRODUCTION"} >>>>> >>>>> >>>>> >>>>> POST /applications/{applicationId}/provide-keys >>>>> >>>>> { >>>>> "consumerKey": "xxxxxxxxxxxxxxxxxxxx", >>>>> "consumerSecret": "yyyyyyyyyyyyyyyyyyy", >>>>> "keyType": "PRODUCTION"} >>>>> >>>>> >>>>> Response >>>>> >>>>> { >>>>> "consumerKey": "xxxxxxxxxxxxxxxxxx", >>>>> "consumerSecret": "yyyyyyyyyyyyyyyyyyy", >>>>> "supportedGrantTypes": [ >>>>> "client-credentials", "password" >>>>> ], >>>>> "callbackUrl": "http://localhost/callback";, >>>>> "keyType": "PRODUCTION"} >>>>> >>>>> >>>>> >>>>> POST /applications/{applicationId}/generate-tokens >>>>> >>>>> { >>>>> "consumerKey": "xxxxxxxxxxxxxxxxxxxxx", >>>>> "consumerSecret": "yyyyyyyyyyyyyyyyyyyyyy", >>>>> "validityPeriod": 3600, >>>>> "scopes": "read write delete", >>>>> "revokeToken": "zzzzzzzzzzzzzzzzzzzzz"} >>>>> >>>>> >>>>> Response >>>>> >>>>> { >>>>> "accessToken": "aaaaaaaaaaaaaaaaaaaaaaaaa", >>>>> "tokenScopes": "read write", >>>>> "validityTime": 3600} >>>>> >>>>> >>>>> >>>>> [1] [APIM][C5] Splitting "Generate Keys" operation in Store REST API >>>>> >>>>> Thanks, >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Associate Technical Lead,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <071%20547%208185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks and Regards, >>>> >>>> Isuru H. >>>> +94 716 358 048 <071%20635%208048>* <http://wso2.com/>* >>>> >>>> >>>> >>> >>> >>> -- >>> >>> >>> *Thanks & Regards,* >>> *Nuwan Bandara | Director - **Solutions Architecture, WSO2 Inc.* >>> *+1 646 643 8618 <(646)%20643-8618> | +1 650 745 2169 Ext 4212 >>> <(650)%20745-2169> | http://nuwanbando.com <http://nuwanbando.com> * >>> <http://www.nuwanbando.com/> >>> >> >> >> >> -- >> Chintana Wilamuna | Associate Director/Solutions Architect | WSO2 >> <http://wso2.com/> Inc. >> 408 429 3321 | http://engwar.com/ >> >> > > > -- > > > *Thanks & Regards,* > *Nuwan Bandara | Director - **Solutions Architecture, WSO2 Inc.* > *+1 646 643 8618 <+1%20646-643-8618> | +1 650 745 2169 Ext 4212 > <+1%20650-745-2169> | http://nuwanbando.com <http://nuwanbando.com> * > <http://www.nuwanbando.com/> > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
