A third party Authorization Server issues the access token. It provides client_id and client_secret.
CA API Gateway is the resource server, it validates access tokens.
Beyond the verification aspects of access token, what are the possible scenarios of integration between CA APIM and a third party Authorization Server?
How does CA APIM identify the client application for usage metrics, throttling etc.? I see 2 possible scenarios:
• CA APIM and third party Authorization Server share the client_id. If so, how does the enrollment of a new client app work on CA API Portal? How can Authorization Server and the Portal interact with each other?
• Or CA APIM generates API Keys / or mutual TLS from the API Portal. Then in which attribute to set the API key: authorization header (with access token?), Query string, custom header, ...
What would be your recommendation?
If the Gateway is only being used as a resource server and the 3rd party exposes the Token Introspection endpoint (RFC 7662) they may, as part of the response, share the client id. You could then use some logic within policy to try and gather metrics depending on your needs.
As for the Portal side, what version of Portal are you using?
I am not clear on the 2nd part of your question if you could help clarify.