Versions Compared

Old Version 31

changes.mady.by.user Former user

Saved on

compared with

New Version 32

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added information on callback URLs

Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.

...

The API Manager comes with a pre-created default application, which allows unlimited access by default. You can also create your own applications.

...

Callback URL

A callback URL is a URL that sends a callback to a specific server or a program soon after your application request is sent. The callback URL is specified when generating or re-generating production or sandbox keys for an application. You can either provide a single application callback URL or a RegEx pattern as the callback URL. You should use a RegEx pattern as the callback URL when you need to specify multiple callback URLs for an applicable.

For example, in a situation where you have two (2) service providers that need to use the same application that have the following callback URLs.

  • https://mytestapp.com/callback
  • https://testapp:8000/callback

Your callback URL should have the following RegEx pattern.

Code Block
regexp=(https://mytestapp.com/callback|https://testapp:8000/callback)
Tip

You can configure any RegEx pattern to match the callback URLs that you need to register with the application. However, it is mandatory have the prefix regexp= before the pattern.

...

Access tokens

An access token is a simple string that is passed as an HTTP header of a request. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." Access tokens authenticate API users and applications, and ensure better security (e.g., certain types of prevent DoS attacksNote that DoS attacks coming to key manager with random access tokens can not be prevented, and DoS attacks with same fake acess token can affect the gateway as well). If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls.

...

Cross-origin resource sharing  ( CORS ) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.

The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them. 

...

Code Block
languagexml
<handlers>
   <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/>
</handlers>

...

OAuth scopes

Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.

...