api - Why application user token need be used for mobile applications -


in wso2 apim, according documentation on generating user access token [1]: https://docs.wso2.org/display/am140/generating+access+tokens+to+invoke+apis , says ' user-level tokens allow users invoke api third-party application mobile app'.

  1. are these user access tokens used avoid client_id , client_secret exposed via untrusted mobile applications?
  2. if so, when creating application user token, token api [2]: https://docs.wso2.org/display/am160/token+api , in below request

curl -k -d "grant_type=password&username=&password=&scope=production" -h "authorization: basic svpzswk2seriqjvlofzlzfpbblvpx2zam2y4ytphbtbisjzvv1y4zkm1t1fmtgxdnmpzbefdvzhh, content-type: application/x-www-form-urlencoded"

username , password , encoded string of client_id:client_secret sent create new token. mean user_name, password , encoded client_id:client_secret need have saved in mobile application? if so, since mobile application can decompiled , extract these information(even decoding base64 encoded string of client_id:client_secret) client_id , client_secret exposed others.

how handled in wso2 apim? please correct me if have misunderstood concept here.

your understanding correct. in mobile application case, believe based on app design.

for example, when mobile user login mobile app, app has authenticate central system, run on apimanager server. system, internally, hard codes secret key , consumer key make request backend. so, when user authenticates central system, user's login session, username, password extracted make api call. thats how, server manage throttling also. not like, mobile app contains logic.


Comments

Popular posts from this blog

How to access named pipes using JavaScript in Firefox add-on? -

multithreading - OPAL (Open Phone Abstraction Library) Transport not terminated when reattaching thread? -

node.js - req param returns an empty array -