Defining OAuth2 security schemes

An OAuth2 security scheme defines the settings for controlling access to the API operations through the OAuth authorization standard.

Before you begin

Before you can create an OAuth2 security scheme, you must:
  1. Create an OAuth provider.
  2. Add the OAuth provider to a catalog. If you have not created any catalogs, use the Sandbox Catalog. See the OAuth instructions step in Creating and configuring Catalogs.

About this task

Note: This task relates to configuring an OpenAPI 2.0 API definition. For details on how to configure an OpenAPI 3.0 API definition, see Editing an OpenAPI 3.0 API definition.

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

To make use of an OAuth2 security scheme, you must reference it from elsewhere in your API definition. For more information, see Enforcing security requirements on an API and Enforcing security requirements on an operation.

At any time, you can switch directly to the underlying OpenAPI YAML source by clicking the Source icon OpenAPI Source icon. To return to the design form, click the Form icon Form icon.

Procedure

  1. Open the API for editing, as described in Editing an OpenAPI 3.0 API definition.
  2. If there are already one or more security schemes defined, expand Security Schemes.
  3. To create an OAuth2 security scheme, click the add icon OpenAPI 2.0 API add icon alongside Security Schemes, then select oauth2. To edit an existing OAuth2 security scheme, click the security scheme name in the navigation pane.
  4. Enter an identifying name of your choice in the Security Scheme Name field.
  5. Provide the following information:
    • Security Scheme Name: An identifying name of your choice.
    • OAuth Provider: Select the OAuth provider to be used.
    • Flow: Select one of the following options:
      • Implicit
      • Resource Owner - Password
      • Application
      • Access Code
      Note: The flow options that are available for selection depend on which options are supported by the selected OAuth provider.

      If you selected Resource owner - JWT as the supported grant type when you created the OAuth provider, you must select Resource owner - Password as the Flow for this security scheme.

    • Description: An optional description of the OAuth2 security scheme. You can use CommonMark syntax for rich text representation.
    • The URL endpoints (the applicable endpoints depend on the flow type):
      • Authorization Url
      • Token Url
      Note: The URL endpoint values supplied here are maintained only for informative purposes, no validation or other action is applied to them by API Connect. The OAuth security that is applied depends on the specified OAuth provider.
    • Scopes (available if you are editing an existing OAuth2 security scheme):
      • To add a new scope, click Add. To edit an existing scope, click the options icon options icon alongside the required scope, then click Edit.
      • Provide the following information:
        • Scope: The scope identifier.
        • Description: An optional description of the scope. You can use CommonMark syntax for rich text representation.
        • If you are creating a new scope, click Create.
  6. If you are creating a new OAuth2 security scheme, click Create.
    The security scheme details are displayed for further editing.
  7. Click Save when done.

What to do next

Apply the security scheme to an API or operation. For more information, see Enforcing security requirements on an API and Enforcing security requirements on an operation.