Why application user token need be used for mobile applications

1
votes

In WSO2 APIM, according to documentation on generating user access token [1]: https://docs.wso2.org/display/AM140/Generating+Access+Tokens+to+Invoke+APIs , it says ' User-level tokens allow users to invoke an API even from a third-party application like a mobile app'.

  1. Are these user access tokens are used to avoid client_id and client_secret to be exposed via untrusted mobile applications?
  2. If so, when creating the application user token, with token API [2]: https://docs.wso2.org/display/AM160/Token+API , as in the below request

curl -k -d "grant_type=password&username=&password=&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded"

username , password and encoded string of client_id:client_secret are sent to create a new token. Does this mean user_name, password and encoded client_id:client_secret need to have saved in mobile application? If so, since the mobile application can be easily decompiled and extract these information(even by decoding base64 encoded string of client_id:client_secret) client_id and client_secret will be exposed to others.

How is this handled in WSO2 APIM? Please correct me if I have misunderstood the concept here.

1
apioauth-2.0wso2

1 Answers

0
votes

Your understanding is correct. But in the mobile application case, i believe it is based on the app design.

For example, when a mobile user login to the mobile app, app has to authenticate with the central system, which will run on the APIManager server. That system, internally, hard codes the secret key and the consumer key to make the request to backend. So, when user authenticates to the central system, from the user's login session, his username, password will be extracted to make the API call. Thats how, server will manage the throttling also. It is not like, the mobile app contains the logic.