IBM Support

API's secured by OAuth do not record for successful API calls in analytics for errors in API Connect v5/v5C

Question & Answer


Question

How does analytics work in API Connect V5/V5C when an API is secured by OAuth?

Answer

Our documentation for activity-log notes that API Connect logs analytics events for OAuth in failure cases but not for successful cases.  
The reason for this behavior is in API Connect version 5 framework, when the security definition uses OAuth the APIC v5 framework uses a rule webapi-policy-oauth-1 to validate the OAuth requirement.

This rule always sets the variable var://service/mpgw/skip-backside to 1. The implication of this configuration for an API with an OAuth security requirement is that the multi-protocol gateway webapi’s response rule is always skipped in a successful API call.

The way that the API Connect V5 framework is designed, the analytics record is created in the response rule and pushed to the Management server. When the response rule isn’t triggered, no analytics event occurs.

Analytics data records for failure cases because the error rule is triggered in the processing policy.
Note: The error rule is a different code path that also records analytics.

The API Gateway does not have the same limitations. Users wanting to see OAuth in the analytics can consider migrating to the API Gateway.

Related Information

Activity-Log

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000CeBbAAK","label":"API Connect-\u003ESecurity (SE)-\u003EOAUTH"}],"ARM Case Number":"TS010147634","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
26 April 2023

UID

ibm16985567

Page Feedback