Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.
...
The API Manager comes with a pre-created default application, which allows unlimited access by default. You can also create your own applications.
...
Callback URL
A callback URL is a URL that sends a callback to a specific server or a program soon after your application request is sent. The callback URL is specified when generating or re-generating production or sandbox keys for an application. You can either provide a single application callback URL or a RegEx pattern as the callback URL. You should use a RegEx pattern as the callback URL when you need to specify multiple callback URLs for an applicable.
For example, in a situation where you have two (2) service providers that need to use the same application that have the following callback URLs.
- https://mytestapp.com/callback
- https://testapp:8000/callback
Your callback URL should have the following RegEx pattern.
Code Block |
---|
regexp=(https://mytestapp.com/callback|https://testapp:8000/callback) |
Tip |
---|
You can configure any RegEx pattern to match the callback URLs that you need to register with the application. However, it is mandatory have the prefix |
...
Access tokens
An access token is a simple string that is passed as an HTTP header of a request. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a
." Access tokens authenticate API users and applications, and ensure better security (e.g., certain types of prevent DoS attacks. Note that DoS attacks coming to key manager with random access tokens can not be prevented, and DoS attacks with same fake acess token can affect the gateway as well). If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls.
...
Cross-origin resource sharing ( CORS ) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.
The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them.
...
Code Block | ||
---|---|---|
| ||
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/> </handlers> |
...
OAuth scopes
Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.
...