I want to expose a API via SAG api gateway using oauth2.0 authorization using API gateway as authorisation server, so which approach will be best to for this scenario.
Should i configure two API for consumer one for getting token and second one for resource .
@Rohit_Tomar , Its all about the how you want to implement and who is going to own the responsibility of validating the token.
please check the existing article
As a provider keep the things simple . Register a client and provide the below details to the client to generate the tokens. if you do not want them to generate the token by them self then create on behalf of the client and just share the Generated Access token to invoke API)
when we genrate the token we invoke the service of Api gateway Integration server(/invoke/pub.apigateway.oauth2/getAccessToken) that is in green zone so how the thrid party consumer can call this service directly.
I developed a rest webservice to expose the data of SAP system for mobile application then i configured the API at api gateway, but authrorization should be 0Auth , so i gave my api endpoint to mobile app team now how they will get token to consume my API.
You can do it many way in a cleaner and simple one.
Register on behalf of your client with only required resource as scope and just share the token them to invoke resource API.
if you want your client to generate token then you need to expose your token service as API. Here both client and providers as individual responsibility . As a provider you need to store all the meta data information about your client your client just simply invoke your get token wrapper service. if your oAuth is refresh token enabled then as client responsibility to recheck if the token is active by invoking introspect URL and call the service with active token.
Since your API are beside your firewall only authorized client will be able to reach your network from the DMZ. Design your solution in a simple and secure way .