We are using OTK for authentication and authorization.
Assume we have two APIs
Both APIs are published to Portal. Two applications are created in Portal.
API-POST is added to this application.
API-GET is added to this application.
There are two developers who can log in to portal and subscribe for APIs
Developer1: Subscribed to Application 1
OAuth Credentials: ClientId1, SecretKey1
Developer2: Subscribed to Application 2.
OAuth credentials: ClientId2, SecretKey2
Developers use OAuth keys to generate access token from OTK API and use this token to authenticate the actual APIs
Developer1 is able to view only API-POST from the portal and get all the details required to call API.
Similarly, Developer2 can view API-GET and is unaware of API-POST.
but what we have observed is developer1 access API-GET with a token generated using his clientId1 and ClientId2 even though he is restricted at Portal. Same for developer2.
So anyone with a valid access token can call all the APIs of Gateway even if they were restricted at the portal.
Is it a serious security threat? Do we have any configuration where we can control the access to the users as same as Portal?