February 23, 2016
3 min read

End-User Authorization with API Backend

In many cases, your applications and APIs need to take end-user identity into consideration. There are two ways this can be implemented in WSO2 API Cloud:
  1. Using WSO2 Cloud's identity store and 'Application & Application User' authorization, or
  2. Using backend identity store and X-Authorization header.
In this blog post, we will look into the details of each of these two approaches. 1. WSO2 Cloud's identity store and 'Application & Application User' This approach works best when your APIs target internal developers and partners, who subscribe to your APIs and invoke them. All of them will thus sign up in your developer portal (API Store) and have their identity records in the system. Since all the identities are in WSO2 Cloud, you do not need additional user-level authentication against the backend. Authentication is happening by passing the OAuth Authorization bearer header to the API gateway: Authenticate with API Cloud and pass JWT If your backend service needs user information, it can get it from JWT token that gateway passes with the call. Note that if you are using WSO2 API Cloud, you do not have to enable JWT tokens: passing them is the default behavior. 2. Backend identity store and X-Authorization header This approach is typically used when you have a consumer mobile or web application with many users, all of them registered with some sort of backend identity store. In that case, they all share the same application but need the extra user authentication. Add X-Authorization to authenticate with backend To make this happen, the following pattern is typically used:
  1. Application uses Authorization bearer header with the application token to communicate with the gateway. The token can be obtained manually from API Store or programmatically using token APIs,
  2. Then application prompts end-user for username and password, authenticates against the backend service, and get the corresponding OAuth token from it,
  3. In all subsequent calls, application passes two headers: Authorization with the application token for API Cloud gateway and X-Authorization with user token for the backend.
If backend cannot be changed to use X-Authorization and instead needs Authorization, the corresponding mediator sequence can be used to swap the headers. API Gateway to backend service calls can be secured with a variety of mechanisms including IP Whitelisting, basic authentication or passing an authentication header. Whatever you scenario is, try it today in WSO2 API Cloud!