After you have subscribed to an API, you can use two different OAuth methods to make API calls through Secure API Manager. The endpoints are defined in the OAuth 2.0 RFC under Protocol Endpoints.
The authorization endpoint employs Access Manager as the owner of the user's credentials and the handler of the authentication process. The advantage of using this method is that the client implementation never obtains the user's credentials. It also allows Access Manager to execute multi-factor authentications. This is the preferred method.
To invoke the authorization profile, create an authorized endpoint request as described in the Access Manager 5.0 OAuth Application Developer Guide. You must perform an additional step that is specific to Secure API Manager. You must include the scope APIManagerScope in the list of scopes in the request.
The token endpoint profile allows a client that has the user's credentials to obtain an OAuth token in a single request. To invoke this endpoint, the client must own the client's username and password. Many client implementations do not want to protect the user's credentials (or ever have them go to the client), so this method is generally not preferred.
To invoke the token profile, create a token endpoint request as defined in the Access Manager 5.0 OAuth Application Developer Guide. You must perform an additional step that is specific to Secure API Manager. You must include the scope APIManagerScope in the list of scopes in the request. For example:
grant_type=password&client_id=557c9074-6a09-4f1a-83a6-0d3b442e1cc0&client_secret=he3Mmy3IGgL9dxhufNHo312DQqTJYI8mB6GHA&username=fred&password=test0123&scope=APIManagerScope