oauth 2.0 - Steps: WSO2 Authentication and Authorization = Many Steps

Question

I'm trying to give security to my APIs using WSO2 API Manager. I could achieved the configuration of WSO2 Identity Server to use an LDAP server with some users and made WSO2 API Manager to use this Identity Server as Key Manager. My questions are:

1. How can I configure end user to access an API? Is it needed to associate all the users to an application role in API Manager carbon?
2. The end users need to have two access token to access an API? One to authenticate in IS using (OAuth Client Key/OAuth Client Secret) and other to generate the access token to the API in API Manager using (Consumer Client Id/Consumer Client Secret)?
3. Is there any tutorial explaining all this steps and how to protect an API just for some users?

question from:https://stackoverflow.com/questions/65894375/steps-wso2-authentication-and-authorization-many-steps

Answer 1

Basically, the token generation flow is different from grant type to grant type. For example, the jwt-bearer grant type that you are using to generate an access token has several steps such as,

1. Service provider requests the JWT from the IDP
2. Generating an access token from API Manager exchanging the JWT assertion.

This is because the usage of each grant type is different and using grant types depends on your security requirement.

The JWT Bearer grant is usually used in client apps, where user logs in providing user name and password and the rest are done in the application itself without any interaction with the end-user.

If you need to generate the token as the end-user, you can use the password grant type.