+1. In API Manager 3.0 we did not introduce such a concept anyway. Are you suggesting we remove this from 2.x as well?
On Thu, 29 Mar 2018 at 1:17 pm, Sanjeewa Malalgoda <[email protected]> wrote: > Hi All, > In API Manager we have application access token and user access token > concept. Application access token is the token obtained using resource > owner grant type. User access token is the token obtained by user(can be > application owner or someone else) by using any grant type. Initially we > introduced this feature to control resource level access of APIs. > > As example we can think of one API(camera API) which has 2 > resources(1.View photo 2.Add photo). Then we will need to let users to view > photos without login to system(means obtain token for user). In that case > we can limit view resource to application access token and mandate to use > user token to add photo. This way we can maintain resource access control. > > With scopes concept we can still do same. We can give read scope to view > photo and generate token for that embed with app. If user need to take > photo then he will have to get token with write(access add photo) scope. In > oauth spec also we cannot see this type of differentiation. So considering > all these shall we remove application access token concept from API > Manager? Any limitations with this? > > Thanks, > sanjeewa. > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/ > <http://sanjeewamalalgoda.blogspot.com/> > > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
