Securing APIs using OAuth 2 in API Gateway

2 min readOct 3, 2019

Author: Naramsetty, Srikar <Srikar.Naramsetty@softwareag.com>
Supported Versions: 10.3 and above

For securing APIs using OAuth2 in API Gateway for versions 10.2 and below please refer https://tech.forums.softwareag.com/t/securing-apis-using-oauth2-in-api-gateway

webMethods API Gateway tutorial

Introduction

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. In this tutorial we will go through the following steps in detail to use OAuth2 in API Gateway.

Configuring local authorization server
Importing travel services into API Gateway and creating the scopes for the resources
Enforcing OAuth2:
Linking authorization server scopes to the API Scopes
Creating BookYourTicket application in API Gateway
Getting bearer token
Invoking the API
Using properties of access token
Refreshing access token
Enabling OAuth 2 authorization through HTTP
Removing expired tokens
Customizing the default approval page

Required knowledge

The tutorial assumes that the reader has:

a basic understanding of API Gateway and its policy enforcement
a basic knowledge on OAuth 2 authentication framework

Why?

Lets assume you have a service and you want to protect it with OAuth2. You can use the API Gateway OAuth2 authorization server to generate the access tokens for the client applications.