Understanding how Secure API Manager authorizes access to APIs helps you understand why you are required to add specific information when you create APIs. It also helps you understand the calls you must add to the applications and services that use the APIs stored in Secure API Manager.
Secure API Manager controls access to APIs through OAuth authorizations. When you configure Secure API Manager, it automatically creates an OAuth 2 application for you in Access Manager. Secure API Manager uses the authorizations tokens from this OAuth 2 application to secure access to the APIs. When an API developer creates an API in the Publisher, the developer adds the authorization token to the API from this OAuth 2 application. The following graphic shows the flow of the API authorization from the application, service, or item through the API Gateway to the Access Manager Identity Server.
Figure 1-3 How Secure API Manager Authorizes APIs
When an application, service, or item calls an API, the call goes to the API Gateway. The API Gateway contains the APIs in a run-time environment.
The API Gateway checks to see if the call for the API contains an OAuth token. If it does not, the API Gateway rejects the call and the application, service, or item receives a message stating the API is not available.
If the call for the API does contain an OAuth token, the API Gateway sends the call to the Identity Server.
The Identity Server checks the OAuth application to see if the token is valid. If the token is not valid, the Identity Server sends that information to the API Gateway and the API Gateway rejects the call. The application, service, or item receives a message stating that the API is not available.
If the token is valid, the Identity Server sends that information to the API Gateway. The API Gateway then allows the call for the API to go to the backend service. The backend service knows that the call is valid and provides the additional functionality of the application, service, or item in the API call.