Overview
An application defines the precise identifiers by which messages from a particular application is recognized at run time. The identifiers can be, for example, user name in HTTP headers, a range of IP addresses, such that API Gateway can identify or authenticate the applications that are requesting an API.
The ability of API Gateway to relate a message to a specific application enables it to:
Control access to an API at run time (that is, allow only authorized applications to invoke an API).
Monitor an API for violations of a Service-Level Agreement (SLA) for a specified application.
Indicate the application to which a logged transaction event belongs.
An application has the following attributes for specifying the identifiers:
IP address, which specifies one or more IP addresses that identify requests from a particular application. Example:
192.168.0.10This attribute is queried when the Identify and Authorize Application policy is configured to identify applications using IP address.
Claims set, which specifies one or more claims that identify requests from a particular application. The claims are a set of name-value pairs that provide sufficient information about the application. Example:
sub = Administrator.
This attribute is queried when the Identify and Authorize Application policy is configured to identify applications using a JWT token or an OpenID token.
Client certificate, which specifies the X.509 certificates that identify requests from a particular application.
This attribute is queried when the Identify and Authorize Application policy is configured to identify the applications by a client certificate.
Identification token, which specifies the host names, user names or other distinguishing strings that identify requests from a particular application.
This attribute is queried when the Identify and Authorize Application policy action is configured to identify applications by host name, token, HTTP user name, and WSS user name.
You can configure various authentication strategies to authenticate an incoming request to the application. You can create multiple strategies authorized by an API for an application. These strategies provide multiple authentication mechanisms or multiple authorization servers for a single authentication scheme. For example, in case of OAuth authentication scheme, you want the application to support both OKTA and PINGFederate or OKTA with multiple tenants. This can be configured as OAuth strategy for the application.
If you have the Manage Application functional privilege assigned, you can create and manage applications, and register applications with the APIs.
These are the high level stages of managing and using an application:
1. API developers request the API Gateway administrators to create an application for access as per the required identification criteria.
2. API Gateway provider or administrator validates the request and creates a new application, there by provisioning the application specific access tokens (API access key and OAuth credentials).
3. API Developer, upon finding a suitable API, sends a request to API Gateway for consumption by providing the application details.
4. After validating the request, API Gateway provider or administrator associates the application with the API. Keys are generated for applications and not for every API that the application consumes.
Note: The approval process, if any, is handled by the requesting application and not handled by API Gateway.
5. The API developer can then use the application with the proper identifier (such as the access key or identifier) to access the API.
API key expiration date
An API Gateway application has an optional expiration date for its API key. When the API access key expires, the application cannot be identified. The API Gateway Administrator can configure the apiKeyExpirationPeriod parameter from the General > Extended settings page. If the expiration date is not specified, then the API key never expires.
Suspended Applications
You can suspend applications so as to disable the identification of requests temporarily. If a suspended application is identified while processing a request the request is rejected with HTTP 403 (Forbidden) error. The response body has the following content:
Application has been identified but it is currently suspended. Please contact
the API Gateway administrator for further details.
You can resume the suspended applications to enable the identification again.