Defining OAuth2 security scheme components

An OAuth2 security scheme component defines the settings for controlling access to the API operations through the OAuth authorization standard.

Before you begin

Before you can create an OAuth2 security scheme component, you must:

Create an OAuth provider.
- To use Cloud Manager, see Configuring a native OAuth provider or Configuring a third-party OAuth provider.
- To use API Manager, see Configuring a native OAuth provider or Configuring a third-party OAuth provider.
Add the OAuth provider to a catalog. If you have not created any catalogs, use the Sandbox Catalog. See the OAuth instructions step in Creating and configuring Catalogs.

About this task

Note:

This task relates to configuring an OpenAPI 3.0 API definition. For details on how to configure an OpenAPI 2.0 API definition, see Editing an OpenAPI 2.0 API definition.
OpenAPI 3.0 APIs are supported only with the DataPower® API Gateway, not with the DataPower Gateway (v5 compatible).
For details of current OpenAPI 3.0 support limitations, see OpenAPI 3.0 support in IBM® API Connect.

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

To make use of an OAuth2 security scheme component, you must reference it from elsewhere in your API definition. For more information, see Enforcing security requirements on an API and Enforcing security requirements on an operation.

At any time, you can switch directly to the underlying OpenAPI YAML source by clicking the Source icon OpenAPI Source icon . To return to the design form, click the Form icon Form icon .

Procedure

Open the API for editing, as described in Editing an OpenAPI 3.0 API definition.
Expand Components then, if there are already one or more security scheme components defined, expand Security Schemes.
To create an OAuth2 security scheme component, click the add icon alongside Security Schemes. To edit an existing OAuth2 security scheme component, click the component name in the navigation pane.
If you are creating a new OAuth2 security scheme component, you can either create it from scratch or you can reference another OAuth2 security scheme component.
To create an OAuth2 security scheme component from scratch, provide the following information on the Definition tab:
- Security Scheme Name: A key that enables this OAuth2 security scheme component to be referenced from elsewhere in the API definition; the reference has the following format:
```
#/components/securitySchemes/Security_Scheme_Name
```
- Security Definition Type: Select oauth2.
- Flow: Select one or more of the following options:
  - Implicit
  - Resource Owner - Password
  - Application
  - Access Code
  Note: The flow options that are available for selection depend on which options are supported by the selected OAuth provider.
  If you selected Resource owner - JWT as the supported grant type when you created the OAuth provider, you must select Resource owner - Password as the Flow for this security scheme.
- OAuth Provider: The name of the OAuth provider to be used. This is the value of the name field that was auto-generated when the OAuth provider was created.
- Description: An optional description of the OAuth2 security scheme. You can use CommonMark syntax for rich text representation.
- Optionally select your OIDC provider from the list to add the provider's URL to the OpenId Connect URL field on the Resources > OAuth Providers > OpenID Connect page, which enables a client to send a request for information about the provider's publicly visible configuration.
To reference another OAuth2 security scheme component, provide the following information on the Reference tab:
- Security Scheme Name: A key that enables this OAuth2 security scheme component to be referenced from elsewhere in the API definition; the reference has the following format:
```
#/components/securitySchemes/Security_Scheme_Name
```
- Reference from: Select a reference to another OAuth2 security scheme component.
If you are editing an existing OAuth2 security scheme component, provide the following information:
- The URL endpoints (the applicable endpoints depend on the flow type):
  - Authorization URL
  - Refresh URL
  - Token URL
  Note: The URL endpoint values supplied here are maintained only for informative purposes, no validation or other action is applied to them by API Connect. The OAuth security that is applied depends on the specified OAuth provider.
- Scopes:
  - To add a new scope, click Add. To edit an existing scope, click the options icon alongside the required scope, then click Edit.
  - Provide the following information:
    - Scope: The scope identifier.
    - Description: An optional description of the scope. You can use CommonMark syntax for rich text representation.
If you are creating a new OAuth2 security scheme component, click Create.
The security scheme component details are displayed for further editing.
Click Save when done.

What to do next

Apply the security scheme to an API or operation. For more information, see Enforcing security requirements on an API and Enforcing security requirements on an operation.