Layer7 API Management

Expand all | Collapse all

API Access Control using OTK

Jump to Best Answer
  • 1.  API Access Control using OTK

    Posted 02-14-2017 12:13 PM

    Hi

     

    We are using OTK for authentication and authorization.

     

    Assume we have two APIs 

    1. API-POST 

    2. API-GET

     

    Both APIs are published to Portal. Two applications are created in Portal.

    Application1:

       API-POST is added to this application.

    Application2:

       API-GET is added to this application.

     

    There are two developers who can log in to portal and subscribe for APIs

    Developer1: Subscribed to Application 1

          OAuth Credentials: ClientId1, SecretKey1

    Developer2: Subscribed to Application 2.

          OAuth credentials: ClientId2, SecretKey2

     

    Developers use OAuth keys to generate access token from OTK API and use this token to authenticate the actual APIs 

    Developer1 is able to view only API-POST from the portal and get all the details required to call API.

    Similarly, Developer2 can view API-GET and is unaware of API-POST.

     

    but what we have observed is developer1 access API-GET with a token generated using his clientId1 and ClientId2 even though he is restricted at Portal. Same for developer2. 

     

    So anyone with a valid access token can call all the APIs of Gateway even if they were restricted at the portal.

    Is it a serious security threat? Do we have any configuration where we can control the access to the users as same as Portal?



  • 2.  Re: API Access Control using OTK
    Best Answer

    Posted 05-03-2017 04:32 PM

    Good afternoon,

     

    Limiting access to view certain applications/APIs through the Portal is around control to modify its behavior on the gateway for things such as rate limit, throughput, etc along with handling documentation. When the user attempts to use the OAuth token against the API through the gateway, it can allow for all OAuth tokens or can be limited to specific token values ( https://docops.ca.com/ca-api-management-oauth-toolkit/3-5/en/secure-an-api-endpoint-with-oauth ).

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support