1.2 Understanding API Authorizations

Understanding how Secure API Manager authorizes access to APIs helps you understand why you are required to add specific information when you create APIs. It also helps you understand the calls you must add to the applications and services that use the APIs stored in Secure API Manager.

Secure API Manager controls access to APIs through OAuth authorizations. When you configure Secure API Manager, it automatically creates an OAuth application for you in Access Manager. Secure API Manager uses the authorization tokens from this OAuth application to secure access to the APIs. When an API developer creates an API in the Publisher, the developer adds the authorization token to the API from this OAuth application. The following graphic shows the flow of the API authorization from the application, service, or item through the API Gateway to the Access Manager Identity Server.

Figure 1-3 How Secure API Manager Authorizes Access to APIs

  1. When an application, service, or item calls an API, the call accesses the API stored on the API Gateway. The API Gateway contains the APIs in a run-time environment.

  2. The API Gateway checks to see if the call for the API contains an OAuth token. If it does not, the API Gateway returns a 403 Forbidden error message that means the user is not authorized to access the application, service, or item.

  3. If the call for the API does contain an OAuth token, the API Gateway sends the call to the Identity Server.

  4. The Identity Server checks the OAuth application to see if the token is valid.

  5. If the token is not valid, the Identity Server sends that information to the API Gateway and the API Gateway returns a 403 Forbidden error message to the application, service, or item.

  6. If the token is valid, the Identity Server sends that information to the API Gateway. The API Gateway then allows the call for the API to execute and the application, service, or item receives the additional functionality from the API.