I want to allow my users to be able to call my secured WSO2 APIs after a successful login/password authentication.
On the "wso2 whitepaper for building an ecosystem for api security", the patterns that proposed are only based on use cases where the source server and authorization server are running in the different domain witch is not my use case : https://wso2.com/whitepapers/wso2-whitepaper-building-an-ecosystem-for-api-security/#19
For my use case I want something simple without (SAML, SOAP or XACML PDP). All what I want is this (you can modify and correct my pattern):
--Login : The client sends his Login/Password to the my web app (a simple node.js server side rendering).
My web app sends login/password + client_id/client_secret to my API Gateway (API Manager).
My API Gateway validates the client_id/secret_id and asks my OAuth Authorization Server (API Id Server) for an Access_Token/Refresh_Token after validate the login/password.
The API Gateway get the the Tokens and return them to the client.
-- Requests from a logged user :
The client requests an API behind the API Gateway with the Access_Token (without client_id client_secret).
The API Gateway asks my OAuth Authorization Server (API Id Server) to validate the Access_Token
The OAuth Authorization Server validate the access_token, decrypts it, and sends back a JWT (JSON Web Token), which includes end-user details, to the API Gateway.
API Gateway adds the JWT as an HTTP header and invokes the backend business API.
Can you please tell me if it's possible to implement this simple pattern with WSO2 Solution. If so, can you please indicate me how or a WSO2 Documentation that can helps me.
