In WSO2 API Manager versions prior to 1.9.0, the components were tightly coupled with the Key Manager and and token validation was done by directly accessing the databases. However, from WSO2 API Manager 1.9.0 onwards, you can plug different OAuth2 providers to the key validation. When you call an API providing an access token, the execution flows through the handlers specified in the API. Among them, the API authentication handler extracts the token from the header and calls APIKeyValidationService
to get the token validated. Upon validating the token, the API Gateway receives APIKeyValidationInforDTO
as the response. The , using which the rest of the operations are performed using that token.
Before decoupling was done, the entire key validation process was executed inside a single method named validateKey()
, which performed all the operations by running a single query. After decoupling, that single query was broken down into smaller parts by introducing KeyValidationHandler
which runs inside the validateKey()
operation, providing a way to extend each step.
...