HI Azeez, Application can associated with multiple APIs(bundle of APIs). Both secured and non secured APIs can bundled into same application. So API creator should document how to use tokens for his API and whether it is secured or not. consumer key and secret keys can use for all apis within that application.
Thanks. Sanjeewa. On Fri, Mar 29, 2013 at 11:16 PM, Afkham Azeez <[email protected]> wrote: > > > > On Fri, Mar 29, 2013 at 9:31 PM, Sumedha Rubasinghe <[email protected]>wrote: > >> On Fri, Mar 29, 2013 at 7:36 PM, Afkham Azeez <[email protected]> wrote: >> >>> >>> >>> On Fri, Mar 29, 2013 at 6:42 PM, Afkham Azeez <[email protected]> wrote: >>> >>>> >>>> >>>> On Fri, Mar 29, 2013 at 12:36 PM, Sumedha Rubasinghe >>>> <[email protected]>wrote: >>>> >>>>> 1.Your are a developer who have subscribed to 'twitter-search' api >>>>> 2. You write a mobile application that makes use of 'twitter-search' >>>>> api >>>>> 3. But if you hard code the Access Token in this mobile application, >>>>> all your app installations will use the same access token >>>>> 4. Thus from a management point of view, >>>>> - it token expires - all app installations will fail >>>>> - if there is one malicious user, cannot revoke the token b'cos >>>>> everyone will be impacted >>>>> - you cannot collect much useful statistics since every access >>>>> happens through same token >>>>> - and many more limitations >>>>> >>>>> 5. In order to solve issues like above, there is a token API through >>>>> which each installation of the application can get their own token >>>>> 6. During development time, you will be hardcoding Consumer Key & >>>>> Consumer Secret (which are specific to the application) in side the code >>>>> 7. When you application gets installed on my mobile, I login go the >>>>> application using my username & password. If this is the first time after >>>>> installation, you application calls Token API with following. >>>>> >>>>> "grant_type=password&username=sumedha&password=password" -H >>>>> "Content-Type: application/x-www-form-urlencoded" -H "Authorization :Basic >>>>> ****[ABC]" https://127.0.0.1:8243/login >>>>> >>>>> Here ****[ABC] = Base64Encode(consumer key + '.' + consumer secret) >>>>> >>>>> So inside the Token API, >>>>> ****[ABC] identifies to which application token is generated, >>>>> username/password combination authenticates Sumedha's login, it also >>>>> records that token is issued under my name. >>>>> >>>>> >>>> So these two values are valid only if the API has been secured, and is >>>> irrelevant if it hasn't been secured? >>>> >>>> >>> So from what I understood, the Consumer Key & Secret are valid only if >>> the API is secured. You need to call an authorization API first, obtain a >>> token and make the subsequent actual requests using that token. So, should >>> we be generating these if the API was not secured? Also, is this >>> information available in API-M docs? >>> >> >> OAuth2 token is the means of securing the API... API not secured = no >> token required. >> There is a new doc coming up with 1.4.0 with this level of explanation. >> >> > Yes that is true, but if the API has not been secured, do we really need > to show the consumer secret & key? > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +14084122175 | +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
