How to restrict access to different resources in a restful API to consumers?

If I have a restful API with 2 resources in an API -

  • POST /r1
  • PATCH /r2

The API is protected with x-Gateway-APIKey request header.

Consumer 1 is allowed to access only /r1, and consumer 2 is allowed to access only /r2.
How to achieve the same?
With OAuth, I can restrict the consumers with scoping, however the API is to be protected only with x-Gateway-APIKey request header.

Please sugggest.

Hi @mofarhan,
As you said this can be easily achievable using OAuth scope.

The other option i could think of is to create the scope for each resources .
Under each scope use the identify and authorize policy.
Under authorize policy we should use API key and header name to authenticate the request.

In my use case i created an application and inside the application we have 2 headers one for each resource.

And now when i am invoking the request I am passing the header also apart from API key.
And this should get validated.

I am attaching the sample API along with application for you reference.
WorkflowAPI.zip (13.3 KB)
WorkFlowApplication.zip (12.7 KB)

Curl command used for testing the API:
curl --location --request POST ‘http://replaceWithTenantName/gateway/WorkflowAPI/1.0/2mEU92D7mY’ \

–header ‘Content-Type: application/json’ \

–header ‘Accept: application/json’ \

–header 'x-Gateway-APIKey: c31bc8ba-1299-4034-badf-1c118abaa786 ’ \

–header ‘CustomerResourceID: 11223344’

Let me know if this solves your usecase problem.

Regards
Vikash Sharma

@Vikash_Sharma1 Thanks. Let me go through your solution. However, the product version I use is 10.7 and I am not able to import the same. I get this error - Importing an archive failed.
The selected archive is not supported by this API Gateway version. The archive was exported from API Gateway version: 11.0. If possible, please export them using a lower version.

@mofarhan,
I have developed this on higher version.
Putting some screenshot for your reference.

Application:

API

Let me know if this helps.

Regards
Vikash Sharma

Great. Crystal clear. Thanks for your support each time.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.