Secure API Manager allows you to make APIs accessible to the public or limits access to the APIs. To make APIs available to the public means that anyone who knows the full path to the API can call the API. Secure API Manager integrates with Access Manager to provide OAuth2 tokens for any requests to the APIs. This is a separate point of integration with Access Manager than controlling specific users to be able to access the APIs.
Secure API Manager uses the Access Manager roles and scopes to control access to the APIs and specific API endpoints. This way you do not have to create and manage additional accounts or roles for users to access and use the APIs.
To control access to the APIs you create a scope for one or more APIs. If you have multiple API endpoints, you can also use one scope to control access to all of the API endpoints. You would create a different scope for an API endpoint if you want a different set of users to be able to access a specific API endpoint. You can use the same scope for multiple APIs or for multiple API endpoints associated with different APIs. You associate the Access Manager roles with each scope to control the access to the APIs and the API endpoints.
The following graphic depicts how Secure API Manager integrates with Access Manager to control access to the APIs.
Figure 4-1 How Secure API Manager integrates with Access Manager to control access to the APIs
The workflow shows how Secure API Manager controls access to the APIs through the Access Manager scopes:
An application, service, or client makes a call to the API and that request includes an access token.
The API Gateway presents the access token to the token validator for Secure API Manager.
The token validator obtains the scope and roles associated with the target API or target API endpoint.
The token validator obtains the scopes that are defined in the access token.
The token validator checks the access token to see if it contains the required scopes for access.
If the required scopes are not present, Secure API Manager denies the application, service, or client access to the API.
If the required scopes are present, the token validator proceeds with additional evaluations.
The token validator obtains the roles that were associated with the scope in the API definition.
The token validator obtains the user’s roles from Access Manager using the access token.
The token validator checks to see if the user has any of the required roles.
If the required roles are not present, Secure API Manager denies the client access to the API.
If the required roles are present, Secure API Manager allows access if the checks of the scope and the roles match the information in the access token.