I have designed a public REST API with JSON which is used primarily from native mobile applications. The application which should subscribe to this API does not have any username/password login mechanism as it should be public.
The API is designed using WSO2 API Manager in version 2.1.0 and application should establish TLSv1.2 trusted connection in order to consume services.
The API on the backend side is subscribing to internal REST API which has mutual TLS authentication.
Currently the OAuth2 is disabled for the API and I am thinking how to use it in order to get a higher assurance and identification of the end point who is trying to use the API.
The only OAuth2 Grant Type that I can use in this case is Client Credential from my point of view, where the application can get its consumer key and consumer secret to be able to request access tokens. But it can be obtained from application source code or configuration.
As there is no username/password mechanism Implicit Grant Type can't be used.
How to use API Manager in this case?