/
Working with Access Tokens
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Working with Access Tokens

Nov 20, 2017

Access tokens are used to authenticate users. They are generated by API consumers and need to be passed in the incoming API requests. The API key (i.e., the generated access token) is a simple string that is passed as an HTTP header. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." It works equally well for SOAP and REST calls.

Authorizing requests coming to published APIs using access tokens helps you prevent DoS attacks. If the token passed with a request is invalid, the API Manager discards that request in the first stage of processing itself.

WSO2 API Manager provides two types of access tokens for authentication:

  • Application Access Tokens: Tokens to identify and authenticate an entire application. An application is a logical collection of many APIs. With a single application access token, you can invoke all of these APIs.

  • User Access Tokens: Tokens to identify the final user of an application. For example, the final user of a mobile application deployed on different devices.

In WSO2 API-M the access token must be unique for the following combinations - CONSUMER_KEY, AUTHZ_USER, USER_TYPE, TOKEN_STATE, TOKEN_STATE_ID and TOKEN_SCOPE. The latter mentioned constraint is defined in the IDN_OAUTH2_ACCESS_TOKEN table. Therefore, it is not possible to have more than one Access Token for any of the above combinations.

Let's take a look at how to generate and renew each type of access token.

Generating application access tokens

Tokens to authenticate an application, which is a logical collection of APIs. You can access all APIs associated with an application using a single token, and also subscribe multiple times to a single API with different SLA levels. Application access tokens leverage OAuth2 to provide simple key management.

The steps below describe how to generate/renew application access tokens:

  1. Log in to the API Store.

  2. Click the My Subscriptions menu, select the application from the drop-down list and click the Generate Keys button to create a new access token.

    Whenever an API call happens, the Gateway checks if the request originated from an allowed domain and grants access accordingly. You can specify these domains in the  Allowed Domains text box. This ensures that clients from a restricted domain cannot access an API even if an application key is stolen (when the key is placed in client-side JS code).

Generating user access tokens

Tokens to authenticate the final user of an API and are valid for all APIs subscribed to a user via a particular application. User access tokens allow you to invoke an API even from a third-party application like a mobile app. You generate/renew a user access token by calling the Login API through a REST client. For more information, see Token API.

Tip: By default, access tokens, consumer keys and consumer secrets are not encrypted in the database. An admin can enable encryption as follows.

  • Set the value of <EncryptPersistedTokens> to true inside the <APIKeyValidator> element in the <APIM_HOME>/repository/conf/api-manager.xml file.

  • Change the <TokenPersistenceProcessor> to org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the <APIM_HOME>/repository/conf/identity/identity.xml file.

Tip: If you want to keep authorization headers in messages that are going out from the API Gateway, an admin can go to the <API Gateway Node>/repository/conf/api-manager.xml file, uncomment the <RemoveOAuthHeadersFromOutMessage> element, set its value to false and then restart the server to apply the changes.

Note that when a user is deleted, the access token is automatically invalidated.

Renewing application access tokens

When an application access token expires, consumers can refresh the token by logging into the API Store, selecting the My Subscriptions link at the top of the screen, and clicking Re-generate. You can also specify a token expiration time for the application access token or change its allowed domains. Set to a negative value to ensure that the token never expires.

Renewing user access tokens

To renew a user token, issue a REST call to the WSO2 Login API through a REST client. For more information, see Renew User Tokens.

You can configure the API Manager instances to store access tokens in different tables according to their user store domain. This is referred to as user token partitioning and it ensures better security when there are multiple user stores in the system. For configuration details, see user token partitioning.

Changing the default token expiration time

Access tokens have an expiration time, which is set to 60 minutes by default.

  • To change the default expiration time of application access tokens,

    • Change the value of the <ApplicationAccessTokenDefaultValidityPeriod> element in the <APIM_HOME>/repository/conf/identity/identity.xml file. Set to a negative value to ensure that the token never expires. Changes to this value are applied only to the new applications that you create.

    • Alternatively, you can set a default expiration time through the UI when generating/regenerating the application access token. This is explained in previous sections.

  • Similarly, to change the default expiration time of user access tokens, edit the value of the <UserAccessTokenDefaultValidityPeriod> element in the identity.xml file.

Also see Configuring Caching for several caching options available to optimize key validation.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.