AnsweredAssumed Answered

Third party OAuth2.0 Authorization Server

Question asked by Augustin22 on Apr 23, 2018

A third party Authorization Server issues the access token. It provides client_id and client_secret.

CA API Gateway is the resource server, it validates access tokens.

 

Beyond the verification aspects of access token, what are the possible scenarios of integration between CA APIM and a third party Authorization Server?

 

How does CA APIM identify the client application for usage metrics, throttling etc.? I see 2 possible scenarios:

• CA APIM and third party Authorization Server share the client_id. If so, how does the enrollment of a new client app work on  CA API Portal? How can Authorization Server and the Portal interact with each other?

• Or CA APIM generates API Keys / or mutual TLS from the API Portal. Then in which attribute to set the API key: authorization header (with access token?), Query string, custom header, ... 

 

What would be your recommendation? 

Outcomes