Hi All, In API Manager we have application access token and user access token concept. Application access token is the token obtained using resource owner grant type. User access token is the token obtained by user(can be application owner or someone else) by using any grant type. Initially we introduced this feature to control resource level access of APIs.
As example we can think of one API(camera API) which has 2 resources(1.View photo 2.Add photo). Then we will need to let users to view photos without login to system(means obtain token for user). In that case we can limit view resource to application access token and mandate to use user token to add photo. This way we can maintain resource access control. With scopes concept we can still do same. We can give read scope to view photo and generate token for that embed with app. If user need to take photo then he will have to get token with write(access add photo) scope. In oauth spec also we cannot see this type of differentiation. So considering all these shall we remove application access token concept from API Manager? Any limitations with this? Thanks, sanjeewa. -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
