0
votes

Suppose I want to replace the "default" WSO2 authentication mechanism from OAuth2 bearer to something else. Two use cases that we have in mind:

  1. Anonymous access (i.e. no authorization at all).
  2. User/password authentication (instead of the bearer!)

My guess that this could be implemented by writing a custom authentication handler, which will take over prior to the "usual" authentication handler, and will be responsible for doing the customize authentication and also for creating an authorization header with the correct bearer token, to hand down to the standard authentication handler.

Is this the right way to implement this? Is there another way that does not require developing a custom handler?

I saw the following discussion WSO2 API Manager, is it possible to disable the access-token mechanism, but I'm not sure if it is relevant for the use case I was describing.

1

1 Answers

0
votes

Yes. you have to implement a custom authentication handler to use basic authentication with api manager.

But you can provide anonymous access without implementing any handlers. For that you can set authentication type to None when you create the api. You can set it by going to the 'Manage' tab in an api and set the type from 'Application & Application User' to 'None' for all the resources