Applying security definitions to an API operation

You can specify whether or not an API operation inherits the security definitions that have been created in the containing API.

About this task

Note: This task relates to configuring an OpenAPI 2.0 API definition. For details on how to configure an OpenAPI 3.0 API definition, see Editing an OpenAPI 3.0 API definition.

You can complete this task either by using the API Designer UI application, or by using the browser based API Manager UI.

You can choose to inherit all the security definitions, or you can individually select the security definitions that you want to inherit.

For information on creating security definitions in an API, see Creating a security definition.

Procedure

To specify the security definition inheritance settings for an API operation by using IBM® API Connect, complete the following steps:

  1. In the navigation pane, click Develop icon in the API UI navigation pane Develop, then select the APIs tab.
  2. To specify the security definition inheritance settings for an operation in an existing API, click the title of the API that you want to work with.

    To create a new API and API operation before specifying the security definition inheritance settings, see Creating an API definition and Defining Paths for a REST API.

  3. Click Paths, and then click the required path.
  4. In the Operations section, click the required operation to display its details.
  5. Specify which security definitions to apply to your operation. By default, all the security definitions that have been configured for the API are applied to the operation. To select which of the API security definitions you want to apply to the operation, complete the following steps:
    1. Select Override API Security Definitions.
      An Add button is displayed.
    2. Click Add, then select the required security definitions.

      When you apply a security definition to an API operation, the user interface presents the set of all existing security definitions. You can select one or more of the definitions from the set, to specify the exact combination of definitions that you want this API operation to satisfy.

      In addition, you can specify multiple combinations of definitions. To specify a second combination, click Add again, and the interface presents a second set of all existing security definitions. Select the check box for each definition that you want included in the second combination. You can add additional sets, and specify additional combinations, until you've created all the valid combinations for the API operation.

      An application can call your API operation if it satisfies any of the combinations you have defined.

    3. If the selected security definition is of type OAuth2, select the required scopes; the scopes available for selection are those that were specified in the security definition; for more information, see Creating an OAuth security definition.
      Note: If you are using the DataPower® Gateway (v5 compatible), you must select at least one scope, and the scope sent in an API request must match one of the selected scopes, otherwise the call fails.

      If you are using the DataPower API Gateway, you only need select any scopes if Advanced scope check after token generation is not enabled in the native OAuth provider associated with the security definition. If a default scope has been set in the native OAuth provider and the API request doesn't contain any scope, the default scope is used; for more information, see Configuring scopes for a native OAuth provider.

    Note: The following additional requirement applies to security definitions that will be used with an OAuth third party provider. If you select an OAuth security definition for protecting a consumer API, you must also include an API key security definition, as the X-IBM-Client-Id or client_id must be included in the security credentials so that the correct Plan configuration settings can be enforced.
  6. Click Save to save your changes.