Missing Implicit Grant type: The new norm in WSO2 APIM 3.2.0

[Source: https://s3.amazonaws.com/lowres.cartoonstock.com/military-jigsaw_puzzle-jigsaws-missing_pieces-lost_person-missing_persons-tzun1199_low.jpg]

What and Why OAuth 2.0 grant types ???

[Source: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSz_sU4jogWQx0uu2vrC_rR6e0ADSBgkcIqMQ&usqp=CAU]
  1. OAuth Core 1.0
  2. OAuth Core 1.0a (OAuth Core 1.0 Revision A)
  3. OAuth 2.0
  • Authorization Code Grant Type is used with server-side web applications.
  • Implicit Grant Type is used with client-side (single page web applications, mobile applications) applications.
  • Resource Owner Password Credential Grant Type is used with trusted applications. Mostly with those applications that have both mobile and web versions of it.
  • Client Credential Grant Type is used by clients to access resources about its own services rather than to access a user’s resources. There aren’t any explicit resource owners available for this grant type.

Implicit Grant Type: A quick tour

[Source: https://docs.wso2.com/download/attachments/92523218/OAuth%20grant%20types%20-%20Implicit.png?version=1&modificationDate=1515735103000&api=v2]

The bond between WSO2 APIM and Implicit Grant Type

[Source: https://penandpastel.files.wordpress.com/2018/04/b32e1b23bc53c36541ccdef8831e87b2_mr-bean-cartoon-clipart-clipartxtras-mr-bean-cartoon-clipart_300-300.png?w=300]
  • wso2am-2.X.X
[Source: https://docs.wso2.com/download/attachments/97564572/implicit-grant.png?version=1&modificationDate=1527160507000&api=v2]
  • wso2am-3.0.0 and wso2am-3.1.0
[Source: https://apim.docs.wso2.com/en/3.1.0/assets/img/learn/implicit-grant.png]

Why not Implicit Grant Type?

[Source: https://lowres.cartooncollections.com/cats-pet_cats-cat_owners-cat_lovers-lost_cats-animals-CC134963_low.jpg]
  • Implicit grant type directly returns the access token in its authorization response. This is vulnerable and leads to access leakage.
  • No viable mechanism exists to cryptographically bind access tokens issued in the authorization response to a certain client which leads to easy detection of the access token.
  • No refresh tokens are returned.
  • Implicit grant has been used more or less like a compromise for Authorization code grant since in early days the JS in browsers accepted to make requests only to the same browsers. Later, with the aid of CORS, this issue got sorted.

Get the Implicit Grant Type in WSO2 APIM 320

[Source: https://s3.amazonaws.com/lowres.cartoonstock.com/social-issues-lost_and_found-lost-losing-losers-finding-rde8842_low.jpg]
Fig 1: No implicit grant type in the devportal
  1. Generate the client key and secret for the application
  2. Navigate to carbon management console via https://<hostname>:<port>/carbon url
  3. Navigate to Main → Identity → Service Providers →List and click the “edit” button of the desired application for which you have generated the client key and secret
Fig 2: Select the Service Provider of the application
Fig 3: Expand the “OAuth/OpenID Connect Configuration” and click on “Edit”
Fig 4: Implicit grant type in the carbon management console

Get the Implicit Grant Type in WSO2 APIM 320 Devportal

  1. Navigate to the admin portal via https://<hostname>:<port>/admin url
Fig 5: Click on “Key Managers”
Fig 6: Click on “Resident Key Manager”
Fig 7: Add “implicit” and press enter
Fig 8: Click on “Update”
Fig 9: Click on either “Production Keys” or “Sandbox Keys”
Fig 10: Implicit grant type is visible now

In a nutshell!

[Source: https://miro.medium.com/max/960/1*NvU2VdMSYkjuGuLcmxw0LA.gif]

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store