AnsweredAssumed Answered

API Access Control using OTK

Question asked by Kareem.shaik7 on Feb 14, 2017
Latest reply on May 3, 2017 by Stephen_Hughes

Hi

 

We are using OTK for authentication and authorization.

 

Assume we have two APIs 

1. API-POST 

2. API-GET

 

Both APIs are published to Portal. Two applications are created in Portal.

Application1:

   API-POST is added to this application.

Application2:

   API-GET is added to this application.

 

There are two developers who can log in to portal and subscribe for APIs

Developer1: Subscribed to Application 1

      OAuth Credentials: ClientId1, SecretKey1

Developer2: Subscribed to Application 2.

      OAuth credentials: ClientId2, SecretKey2

 

Developers use OAuth keys to generate access token from OTK API and use this token to authenticate the actual APIs 

Developer1 is able to view only API-POST from the portal and get all the details required to call API.

Similarly, Developer2 can view API-GET and is unaware of API-POST.

 

but what we have observed is developer1 access API-GET with a token generated using his clientId1 and ClientId2 even though he is restricted at Portal. Same for developer2. 

 

So anyone with a valid access token can call all the APIs of Gateway even if they were restricted at the portal.

Is it a serious security threat? Do we have any configuration where we can control the access to the users as same as Portal?

Outcomes