Identify Authentication methods used by an Application

*Product/components used and version/fix level: SAG Hosted Cloud API GW

*Detailed explanation of the problem: We have many applications consuming multiple API’s. All API currently have the identify and Access policies set to API Key and OAuth2 Token. In some cases this is set to IP addresses as well.

We are in the process to remove unwanted methods of application identification. For the same purpose, is there any way we should be able to make out how an application is currently Authorizing itself by looking at the Analytics entries? So if we get the info saying for example Application A is authorizing via OAuth2 tokens, we can safely remove the API key option for the respective API.

@rpillai-c Application Management API’s are available for on-prem . Give it try to your SAG cloud environment

curl --location ‘https://hostname:port/rest/apigateway/applications’
–header ‘Accept: application/json’
–header ‘Authorization: Basic ddddddddddddddddd==’

This will give you list of available Application with associated identifier , authentication strategy and list of enabled authentications

Thanks Dinesh, This will give us the authentication set for Applications. I am more keen on identifying how the applications are authenticating i.e. API key or OAUTH2 by looking at the analytics. Is there anyway we can get this info?

I don’t think you’ll be able to know which process (API key, Oauth2 or IP address) was used to identify the application.
However the analytics could be used to know if the caller presents a x-gateway-apikey header (API key) or an authorization header (Oauth2, assuming there’s no call with basic Auth.)
You need to activate the logging of http headers in the “Log invocation” policy that’s in the “Traffic management” stage. You could do this in the built-in “Transaction logging” global policy.
Headers will be obfuscated for obvious confidentiality reasons, but you’ll still be able to know who presents what, and make assumptions regarding the process that’s eventually used to identify the application and authenticate the call.

1 Like