Authenticating API Gateway APIs using OAuth2.0 using local authorization server

Authenticating API Gateway APIs using OAuth2.0 using a local authorization server


This article explains about how to implement OAuth 2.0 on API Gateway for local authorization server


It is assumed that readers of this article know how to set up API’s and policies on API Gateway.


• Active tenant subscription on API Gateway
• Configure the API at API gateway.
• Create Application and associate API with the application.
• Refer the link to create API
GitHub - SoftwareAG/webmethods-api-gateway: Repository hosting developer tutorials, code samples, custom policies, CI/CD scripts and more to enable developers develop faster with API Gateway

Use Case:

• We configured the API on API Gateway. This API checks the availability of beds in hospitals.
• To invoke this API from API Gateway we have implemented the OAuth 2.0 mechanism.
• In our case our API Gateway will be working as an authorization server.
• First we will get the access token from the authorization server and then the same token will be passed to access the API.

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

For detailed information follow the below link: OAuth 2.0 — OAuth

How OAuth 2.0 works?


API Used for our Use case:

   **API Name:** CheckBedAvailability

Enforce policy

  • Open the API CheckBedAvailability.
  • Navigate to the policy
  • Click on Identify & Access policy.


  • Select Identify & Authorize Application.
  • Select OAuth2 Token.
  • Save the changes.


Create Scope in API

  1. Go to the API in our case it is checkBedAvailablity
  2. Navigate to scopes within the API
  3. Create the scope and map the resource with it
  4. In our case scope name is CheckBedAvailibiltyScope
  5. Add resource name is CheckBedAvailability
  6. Click Save.


Add Scope to Auth Server

  1. Click on the administration tab
  2. Navigate to the Security tab
  3. From the lefthand tab click on JWT\OAuth\OpenID
  4. Click on the local authorization server
  5. Add the scope and save it.


Map Scope OAuth Scopes

  1. Click on map Scope
  2. Give the authorization server scope, In our case, it will be local:OAuthCheckBedAvailabilityScope
  3. Give the API scope name In our case it will behave given in CheckBedAvailibiltyScope
  4. Click Save

Create Application

  1. Click on create Application and name it as HospitalManagmentApplication.
  2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
  3. Click on Authentication and then click on Create Strategy
  4. Select Authentication scheme as OAuth2
  5. Provide the name for the strategy
  6. Select the authentication server as local.
  7. Enable the generate the credentials
  8. Select application type as Confidential
  9. Application profile as web
  10. Select Grant Type as “Client_credentials”
  11. Select the scope in our case it will be OAuthCheckBedAvailabilityScope
  12. Click on Add.
  13. It will generate the client ID and client credentials, which will be used to generate the access token.


Test Using postman client

  1. Select Authorization as OAuth 2.0
  2. Set the below values

Access Token:
Grant Type: Client Credentials
Client ID: Available in the application
Client Secret: Available in the application
Client Authentication: Send As Basic Auth header


  1. Click on generate token


  1. Click on use token
  2. Submit the request


  1. Validate the response.
1 Like