A third party Authorization Server issues the access token. It provides client_id and client_secret.
CA API Gateway is the resource server, it validates access tokens.
Beyond the verification aspects of access token, what are the possible scenarios of integration between CA APIM and a third party Authorization Server?
How does CA APIM identify the client application for usage metrics, throttling etc.? I see 2 possible scenarios:
• CA APIM and third party Authorization Server share the client_id. If so, how does the enrollment of a new client app work on CA API Portal? How can Authorization Server and the Portal interact with each other?
• Or CA APIM generates API Keys / or mutual TLS from the API Portal. Then in which attribute to set the API key: authorization header (with access token?), Query string, custom header, ...
What would be your recommendation?