In WSO2 API Manager versions prior to 1.9.0, the components were tightly coupled with the Key Manager and and token validation was done by directly accessing the databases. However, from WSO2 API Manager 1.9.0 onwards, you can plug different OAuth2 providers to the key validation. When you call an API providing an access token, the execution flows through the handlers specified in the API. Among them, the API authentication handler extracts the token from the header and calls APIKeyValidationService to get the token validated. Upon validating the token, the token gateway API Gateway receives APIKeyValidationInforDTO as the response. The , using which the rest of the operations are performed using that token.
Before decoupling was done, the entire key validation process was executed inside a single method named validateKey(), which performed all the operations by running a single query. After decoupling, that single query was broken down into smaller parts by introducing KeyValidationHandler which runs inside the validateKey() operation, providing a way to extend each step.
...
However, there are situations where you need to customize the default key validation flow according to different requirements. In such situations, API Manager provides the facility to extend the KeyValidationHandler and it's its methods.
A few examples are listed below.
...