Client ID behavior in API key security definitions

How the Client ID behaves in API key security definitions in IBM® API Connect 10 compared to Version 5.

API key security definitions that contain multiple Client ID references, behave differently in Version 10 than in Version 5. Refer to the following table to understand the differences in Client ID behavior for different use cases.
Note: Although a client_id in the request body is supported, this data is not used during security requirement processing.
Table 1. Client ID behavior in V5 and V10
Use case Description of security requirement V5 behavior V10 behavior
1 Allows client_id in the query, and the request contains multiple client_ids in the query. Uses the first client ID in the request. 401 invalid client ID or secret.
2 Allows client_id in the header, and the request contains multiple client_ids in the header. 401 invalid client ID or secret. 401 invalid client ID or secret.
3 Allows client_id in the header, and the request contains multiple client_ids in the query and the header (1 in the query, 1 in the header). 401 client ID in wrong location. Client ID in query is ignored.
4 Allows client_id in the query, and the request contains multiple client_ids in the query and the header. Client ID in header is ignored. Client ID in header is ignored.
5 Allows client_id in the query or header, and both the query and header contain multiple client_ids. Header returns 401 client ID in wrong location. Query uses the first client ID in the request. 401 invalid client ID or secret.
6 Allows client_id in the header, and the request contains a valid client_id in the query, and an invalid client_id in the header. 401 client ID in wrong location. 401 invalid client ID or secret.
7 Allows client_id in the query, and the request contains a valid client_id in the header, and an invalid client_id in the query. 401 invalid client ID or secret. 401 invalid client ID or secret.
8 Allows client_id in the query or header, and both the query and header contain valid client_ids. 200 OK. 403 multiple client IDs.
9 Allows client_id in the query or header, and both the query and header contain invalid client_ids. 401 client ID in wrong location. 401 invalid client ID or secret.
10 Allows client_id in the query or header, and both the query and header contain a client_id, and the one in the query is valid. 200 OK. Uses the valid one 200 OK.
11 Allows client_id in the query or header, and both the query and header contain a client_id, and the one in the header is valid. 401 client ID in wrong location. Uses the valid one 200 OK.
12 Allows client_id in the query or header, and both the query and client_id is missing in the request (no security requirement, but client security is defined in the assembly). 401 invalid client ID or secret.
  • When Return V5 Responses compatibility option is off: 401 client ID is missing.
  • When Return V5 Responses compatibility option is on: 401 invalid client ID or secret.
For information about setting compatibility options, see Configuring v5 compatibility options.