In WSO2 APIM, according to documentation on generating user access token [1]: https://docs.wso2.org/display/AM140/Generating+Access+Tokens+to+Invoke+APIs , it says ' User-level tokens allow users to invoke an API even from a third-party application like a mobile app'.
- Are these user access tokens are used to avoid client_id and client_secret to be exposed via untrusted mobile applications?
- If so, when creating the application user token, with token API [2]: https://docs.wso2.org/display/AM160/Token+API , as in the below request
curl -k -d "grant_type=password&username=&password=&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded"
username , password and encoded string of client_id:client_secret are sent to create a new token. Does this mean user_name, password and encoded client_id:client_secret need to have saved in mobile application? If so, since the mobile application can be easily decompiled and extract these information(even by decoding base64 encoded string of client_id:client_secret) client_id and client_secret will be exposed to others.
How is this handled in WSO2 APIM? Please correct me if I have misunderstood the concept here.