问题
We have a mobile app which is required to go through WSO2 API Manager to access some APIs. Because of oauth2 authentication, we need to store username & password in mobile app, is it safe? for example, username & password could be used to logon API Store, Is there any alternative solutions for this situation?
回答1:
You can use 'User Access Token'. That is the recommended approach for mobile apps. Refer to this WSO2AM doc for more info. The following blog posts also has some detailed explanation.
http://charithaka.blogspot.com/2013/07/oauth-20-grant-types-with-wso2-api_16.html http://lalajisureshika.blogspot.com/2012/11/generate-application-tokens-user-tokens.html
回答2:
You could use username and password under password grant type once to get the access token by hitting the token endpoint. After that just use the refresh token to renew your access token that way you will not have to store username and password in your mobile sandbox. Check the documentation on renewing the access token. It is necessity to keep this access token and refresh token securely in your mobile sandbox. For this you could use a secured sandbox approach like a keystore, keychain etc. based on your mobile platform with proper security in place such as encrypting them etc. Even if you willing to use the username and password for subsequent requests to request for a token again and again you could use this approach to store those credentials as well.
来源:https://stackoverflow.com/questions/18456399/wso2-api-manager-how-does-mobile-app-connect-to-api-manager