It is possible, and even increasingly common, to secure API access using third party OAuth providers. This article examines the requirements and procedures needed to integrate third party OAuth providers with API Connect.

There are two common architectures: APIC as enforcement point; or APIC as token provider (third party enforcement).

APIC Enforcement
A third party provides the OAuth token presented by a client application. API Connect must determine if the token is valid and either allow or disallow API access.



Third party OAuth Provider

The exchange proceeds as follows.

1. The client application requests an OAuth token from the third party OAuth provider. The provider requires credentials from the client, which are validated by the third party provider. The client obtains a token.

2. The client application sends an API access request to an endpoint managed by API Connect. This request must contain the OAuth token and an API Connect Application ID (and perhaps an optional Secret). API Connect Application ID is used to identify the application to API Connection, it is used for quota enforcement and optional auditing.

The application can provide the credential that APIc needs for 3rd party OAuth provider, by including an x-introspect-basic-authorization header in the request.

If the client does not have a valid API Connect Client ID, it may be necessary to use an intermediary utility to provide this credential. This intermediary could be a script running on API Connect.

3. API Connect must verify the OAuth token. API Connect can take one of two possible actions.
a. if the OAuth token is in JSON Web Token format, API Connect can utilize JWT Validate policy to verify the access token
b. if the OAuth token is an opaque token format, API Connect can contact the issuing third party OAuth provider to verify the token

If needed, API Connect submits the token presented by the client to the Introspection URL configured in API Connect. By default, API Connect will use the Client ID sent by the client to authenticate with the third party token provider in the request to validate the token. API Connect may also use a specific TLS profile for the connection if one is configured.


If the client included an x-introspect-basic-authorization header, those credentials will be used for the introspection request. If neither of these credentials will satisfy the third party provider, it may be necessary to use an intermediary to provide these. This intermediary could be a script running on API Connect.

The third party provider returns the result of the introspection request. If the return does not conform to RFC7662, it may be necessary to use an intermediary to interpret the result and provide the result in the expected format. This intermediary could be a script running on API Connect. API Connect either allows or disallows the request based on the response.

Third Party Enforcement
API Connect provides the OAuth token and a third party must determine if the token is valid and either allow or disallow API access.


The exchange proceeds as follows.

1. The client application requests an OAuth token from API Connect. This request must contain an API Connect Client ID (and perhaps an optional Secret). The request may contain additional credentials API Connect uses to authenticate the request. The client obtains a token.

2. The client application sends an API access request to an endpoint managed by third party. This request must contain the OAuth token and may contain any other credentials needed by the third party.

3. The third party submits the token presented by the client to the Introspection URL configured in API Connect. API Connect validates the token and returns the result in standard format. If the third party does not have a valid API Connect Client ID, it is necessary to use an intermediary, such as a script on API Connect, to provide this credential.

The third party takes whatever action is appropriate based on the result of the validation.

Join The Discussion

Your email address will not be published. Required fields are marked *