We are using OTK for authentication and authorization.
Assume we have two APIs
Both APIs are published to Portal. Two applications are created in Portal.
API-POST is added to this application.
API-GET is added to this application.
There are two developers who can log in to portal and subscribe for APIs
Developer1: Subscribed to Application 1
OAuth Credentials: ClientId1, SecretKey1
Developer2: Subscribed to Application 2.
OAuth credentials: ClientId2, SecretKey2
Developers use OAuth keys to generate access token from OTK API and use this token to authenticate the actual APIs
Developer1 is able to view only API-POST from the portal and get all the details required to call API.
Similarly, Developer2 can view API-GET and is unaware of API-POST.
but what we have observed is developer1 access API-GET with a token generated using his clientId1 and ClientId2 even though he is restricted at Portal. Same for developer2.
So anyone with a valid access token can call all the APIs of Gateway even if they were restricted at the portal.
Is it a serious security threat? Do we have any configuration where we can control the access to the users as same as Portal?
Limiting access to view certain applications/APIs through the Portal is around control to modify its behavior on the gateway for things such as rate limit, throughput, etc along with handling documentation. When the user attempts to use the OAuth token against the API through the gateway, it can allow for all OAuth tokens or can be limited to specific token values ( https://docops.ca.com/ca-api-management-oauth-toolkit/3-5/en/secure-an-api-endpoint-with-oauth ).
Director, CA Support