WSO2 API Manager - 移动应用程序如何连接到 API Manager? [英] WSO2 API Manager - How does mobile app connect to API Manager?

问题描述

我们有一个移动应用，需要通过 WSO2 API 管理器访问一些 API.由于oauth2认证，我们需要存储用户名&手机app里的密码，安全吗?例如，用户名 &可以使用密码登录API Store，有没有其他解决方案?

We have a mobile app which is required to go through WSO2 API Manager to access some APIs. Because of oauth2 authentication, we need to store username & password in mobile app, is it safe? for example, username & password could be used to logon API Store, Is there any alternative solutions for this situation?

推荐答案

您可以使用 password grant type 下的 username 和 password 一次通过点击令牌端点来获取访问令牌.之后，只需使用刷新令牌来更新您的访问令牌，这样您就不必将用户名和密码存储在您的移动沙箱中.查看关于更新访问令牌的文档.有必要将此访问令牌和刷新令牌安全地保存在您的移动沙箱中.为此，您可以使用基于您的移动平台的安全沙箱方法，如密钥库、钥匙串等，并具有适当的安全性，例如加密它们等.即使您愿意在后续请求中使用用户名和密码来请求令牌您也可以一次又一次地使用这种方法来存储这些凭据.

You could use username and password under password grant type once to get the access token by hitting the token endpoint. After that just use the refresh token to renew your access token that way you will not have to store username and password in your mobile sandbox. Check the documentation on renewing the access token. It is necessity to keep this access token and refresh token securely in your mobile sandbox. For this you could use a secured sandbox approach like a keystore, keychain etc. based on your mobile platform with proper security in place such as encrypting them etc. Even if you willing to use the username and password for subsequent requests to request for a token again and again you could use this approach to store those credentials as well.

这篇关于WSO2 API Manager - 移动应用程序如何连接到 API Manager?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！