API using OAuth 2.0

Hello Folks,

I want to expose a API via SAG API gateway using oauth2.0 authorization using API gateway as authorisation server, so which approach will be best to for this scenario.
Should i configure two API for consumer one for getting token and second one for resource .

Kindly suggest me

Thank you

Hi @Rohit_Tomar

Did you try searching the SAG Tech Community for: API gateway oauth

If you do, you will see a few “hot to” articles. One of them may meet your needs.


@Rohit_Tomar , Its all about the how you want to implement and who is going to own the responsibility of validating the token.

please check the existing article

As a provider keep the things simple . Register a client and provide the below details to the client to generate the tokens. if you do not want them to generate the token by them self then create on behalf of the client and just share the Generated Access token to invoke API)

  1. Client_ID - Get it from the application which you created in API Gateway
  2. Client_Screts - Get it from the application which you created in API Gateway
  3. Authorization URL - /invoke/pub.apigateway.oauth2/authorize
  4. getAccess token URL /invoke/pub.apigateway.oauth2/getAccessToken
  5. refreshtoken URL - /invoke/pub.oauth/refreshAccessToken

Hello Dinesh,

when we genrate the token we invoke the service of Api gateway Integration server(/invoke/pub.apigateway.oauth2/getAccessToken) that is in green zone so how the thrid party consumer can call this service directly.

@Rohit_Tomar let us know what exactly your are trying to implement ?


I developed a rest webservice to expose the data of SAP system for mobile application then i configured the API at API gateway, but authrorization should be 0Auth , so i gave my API endpoint to mobile app team now how they will get token to consume my API.

Hi Rohit,

You can do it many way in a cleaner and simple one.

  1. Register on behalf of your client with only required resource as scope and just share the token them to invoke resource API.

  2. if you want your client to generate token then you need to expose your token service as API. Here both client and providers as individual responsibility . As a provider you need to store all the meta data information about your client your client just simply invoke your get token wrapper service. if your oAuth is refresh token enabled then as client responsibility to recheck if the token is active by invoking introspect URL and call the service with active token.

Since your API are beside your firewall only authorized client will be able to reach your network from the DMZ. Design your solution in a simple and secure way .


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.