A Third-Party OAuth provider object provides settings to issue and validate tokens in order to protect access to the API.

New API Connect v2018 supports two types of OAuth Provider resources. This blog focuses on the Third-Party OAuth Provider. My blog http://developer.ibm.com/apiconnect/2019/01/29/creating-a-native-oauth-provider/ covers Native OAuth Provider.

To create a third-party OAuth provider object in the Cloud or API Manager, select Resources tab on the left navigation bar. Under Resources, select OAuth provider and click on Add > Third party OAuth provider


Step 1: Basic Info

The first step in the wizard requires you to fill out the basic details for your OAuth provider object.


Enter your OAuth provider object title and select the grant type.

Grant types:

There are 4 supported Grant types:

  • Implicit – An access token is returned immediately without an extra authorization code exchange step.
  • Application – Application to application. Corresponds to the OAuth grant type “Client Credentials.” Does not require User Security.
  • Access code – An authorization code is extracted from a URL and exchanged for an access code. Corresponds to the OAuth grant type “Authorization Code.”
  • Resource owner password – The user’s username and password are exchanged directly for an access token, so can only be used by first-party clients.

Gateway type:

DataPower Gateway refers to APIC V5x framework (compatibility mode) and DataPower API Gateway refers to the new framework which uses API Gateway object. Select the DataPower version of your choice for the gateway and click Next.


Step 2: Endpoints

Specify endpoint settings for the third-party OAuth provider.

  • Authorization URL – Client application obtains authorization grant.
  • Token URL – client application exchanges an authorization grant for an access token.
  • Introspection URL – API gateway validates the access tokens that are issued by the third-party provider.
  • TLS profile – TLS profile for communicating with the third-party provider. This field is optional but recommended.


Once you have finished adding the required endpoints, click Next.

Step 3: Scopes

The scopes here are for developers to understand what are allowed to access and do not take effect for scope check.


Sample scopes are added by default. You may choose to modify these scope names and descriptions or add more scopes.

Once you have finished adding the desired scopes, click Next.

Step 4: Summary

Summary page allows you to review your changes and gives you the ability to go back and make changes if necessary.


If everything looks good, simply click Finish and your Third-party OAuth provider object will be created.

You can view the list of your OAuth providers in the resources tab. You can view or make changes to an OAuth provider by clicking on each of the OAuth provider objects.

This concludes the tutorial for creating a Third Party OAuth Provider object. If you have questions, please let me know. Connect with me through comments below or via email at kthakre@us.ibm.com.

Join The Discussion

Your email address will not be published. Required fields are marked *