API Management Tactics
Director of Product Management
• How to pass authentication information to
back-end services ?
• How to enrich request/response flows ?
• How to react in real-time to API events
• How to extend the authorization of users
leveraging WSO2 Identity Server ?
Passing Auth Information to back-end
• Using JSON Web
‣ Can be signed
‣ Easy to parse and
What are Claims ?
• Claims are a set of attributes
about a user, mapped to the
underlying user store.
• A set of claims is called a
• Default dialect is:
• Default behavior is that all non-null claims will be added
to the JWT.
• If you want to override this behavior, you need to
create your own ClaimsRetrieverClass.
• You can also use another dialect
‣ Reuse existing
‣ Create your own
JWT Basic Configuration
• Part of <APIConsumerAuthentication> node
• Following settings must be set/uncommented in the api-manager.xml file:
‣ Token Header name
‣ Signature Algorithm
‣ Claims Management
‣ Claims Dialect
Enriching API Gateway Flows
• Available as of version 1.5 (in the UI)
• Allows you to use the full power of the
mediation engine (from WSO2 ESB) in the