1.3 How Secure API Manager Authorizes APIs

Secure API Manager controls access to APIs through OAuth authorizations. When you configure Secure API Manager, it automatically creates an OAuth 2 application for you in Access Manager. Secure API Manager uses the authorization tokens from this OAuth 2 application to secure access to the APIs. When an API developer creates an API in the Publisher, the developer adds the authorization token to the API from this OAuth 2 application. The following graphic shows the flow of the API authorization from the application, service, or item through the API Gateway to the Access Manager Identity Server.

Figure 1-5 API Authorizations

  1. When an application, service, or item calls an API, the call goes to the API Gateway. The API Gateway contains the APIs in a run-time environment.

  2. The API Gateway checks to see if the call for the API contains an OAuth token. If it does not, the API Gateway rejects the call and the application, service, or item receives a message stating the API is not available.

  3. If the call for the API does contain an OAuth token, the API Gateway sends the call to the Identity Server.

  4. The Identity Server checks the OAuth application to see if the token is valid. If the token is not valid, the Identity Server sends that information to the API Gateway and the API Gateway rejects the call. The application, service, or item receives a message stating that the API is not available.

  5. If the token is valid, the Identity Server sends that information to the API Gateway. The API Gateway then allows the call for the API to go to the backend service. The backend service knows that the call is valid and provides the additional functionality of the application, service, or item in the API call.