Hi, As a part of decoupling Authorization Server from API Manager, the capability should be provided to customise token validation step. Since the OAuth2TokenValidationService, defined in org.wso2.carbon.identity.oauth2 component already supports executing additional validation steps, this service will be used for validating tokens for API invocations in future.
Before using this service certain changes needs to be done; 1. The existing service for Key Validation returns certain details as subscriber, Application Tier, subscribed Tier, API Owner which are used to Throttle API calls and to publish statistics. If we are to pass these details when using OAuth2TokenValidationService, the response DTO (OAuth2TokenValidationResponseDTO) should be modified to pass custom attributes. 2. OAuth2TokenValidationService have two operations - validate and findOAuthConsumerIfTokenIsValid. The latter, retrieves a token stored in IDN_OAUTH2_ACCESS_TOKEN table and verifies if it’s obtained for a registered client App. Validate operation calls this method before sending the response. This behaviour too needs to be changed because, when using an external Authorization Server, the token will not be stored in our side. -- *Amila De Silva* WSO2 Inc. mobile :(+94) 775119302
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
