Secure API Manager uses the OAuth applications in Access Manager to authorize access to the APIs. Without the authorization process to protect the APIs, anyone or anything can access and use the APIs. The API developers who subscribe to an API select an Access Manager OAuth client to provide the tokens for the API authorizations. To allow Secure API Manager to use the OAuth services in Access Manager, you must perform some configuration tasks in Access Manager.
Secure API Manager requires that you have enabled and configured OAuth for the API authorizations to work. To enable and configure OAuth in Access Manager is a multi-step process. Follow the steps documented in the Access Manager documentation to properly enable and configure OAuth in Access Manager.
The Store provides a list of all of the available OAuth clients that the API Developers can use to provide authorizations for their subscribed APIs. To be able to view and select these OAuth clients in the Store, you must assign the proper rights to users. Follow the steps to create a role policy when you grant access to the Publisher and the Store.
Secure API Manager uses Access Manager OAuth 2 applications to provide the authorizations for the APIs. The authorizations for the APIs allow you to secure access to the APIs and see who or what has used the APIs. You configured the OAuth global settings when you configured OAuth for Access Manager. Secure API Manager requires a minimum set of the Access Manager global settings for OAuth to be configured to allow the API authorizations to work.
You configure the global OAuth setting for each Identity Server cluster. To access the global settings, on the Access Manager Dashboard, click Devices > Identity Servers > IDP Cluster > Configuration.
The minimum set of global settings for Secure API Manager is as follows:
Grant Types: Authorization Code, Resource Owner Credentials, Client Credentials
Token Types: Access Token
IMPORTANT:To support Resource Owner Credentials, you must select a valid authentication contract in the Contracts for Resource Owner Credentials Authentication section.