The following diagram depicts the OAuth flow when using Access Gateway for protecting the APIs, injecting scopes, and retrieving the access token:
Determine the web application or REST service for which you want to implement this configuration.
Create a reverse proxy in Access Gateway and enable OAuth in Access Gateway for this reverse proxy. See Enabling OAuth in Access Gateway.
Configure an authorization policy based on OAuth Scopes. See Configuring an Authorization Policy based on OAuth Scopes.
Configure an Identity Injection policy to inject user name and password. See Configuring an Identity Injection Policy for OAuth Claims.
Configure optional Identity Injection policies to inject other user claims, if required. You can define the additional roles in the same policy also that you configured for injecting user name and password. See Configuring an Identity Injection Policy for OAuth Claims.
Apply the changes.
For information about how to configure OAuth in Access Manager for this implementation flow, see Configuring Access Gateway for OAuth.