Field | Description |
IP address range | Provide the IP address range or range of trusted IPv4 or IPv6 addresses that identify requests from a particular application. You can add more range options by clicking +Add and adding the required information. |
Partner identifier | Specifies the third-party partner's identity. The specified partner can access the APIs if business-to-business communication between trading partners is enabled and where partners can invoke the exposed APIs to exchange information. For example, if you have enabled business-to-business communication between trading partners using APIs, partners can invoke the exposed APIs to exchange information. These APIs are available by associating Trading Networks with API Gateway. A partner can access the APIs that appear in the Partner Profiles and associated Partner Groups page. Once APIs are added as part of Partner, respective application is created in API Gateway with name partnerName Application and appropriate Partner ID. For more details on information on enabling business-to-business communication between trading partners and required configuration, see webMethods Trading Networks Administrator’s Guide Note: No identification or enforcement of application happens in API Gateway using this identifier. |
Client certificates | Click Browse and select the client certificate or certificate chain to be uploaded. The client certificate specifies the X.509 certificates that requests from a particular application. Note: API Gateway supports .cer and .pem certificates for identifying consumer applications. You can add multiple certificates by clicking +Add |
Claims | Provide a set of claims for the JWT and OpenID clients. A claim is a unique identifying information that identify requests from a particular consumer application. The claim set is identified by a unique Name and is defined as a name-value pair that consists of a Claim name and a Claim value. You can add more claims and claims sets by clicking +Add and adding the required information. |
Header key | Specify the HTTP header key to identify the requests from an application. |
Header value | Specify the HTTP header value to identify the requests from an application. You can add multiple header key and value by clicking +Add |
Other identifiers | Select one of the options to identify requests from a particular application and provide the required value: Hostname. The host name to identify requests from an application. Payload identifier. The payload identifier to identify requests from an application. Team. The team to identify requests from an application. A team can contain one or more groups or LDAP groups. The application can be identified against a user belonging to any of these groups by the specified team. Token. The token to identify requests from an application. Username. The username credential to identify requests from an application. WS-Security username. The WSS username to identify requests from an application. |
Field | Description |
Name | Provide the name for the strategy. |
Description | Provide a description to describe the strategy. |
Authentication server | Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server. |
Generate Credentials | Enable the toggle button to generate the client dynamically in the authorization server and provide the following information: Type. Select one of the client types: Confidential. A confidential client is an application that is capable of keeping a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server, to avoid fraud. An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password. Public. A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application that has the client password embedded inside it. Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the client password. Application type. Specify the application type. WEB. A web application is an application running on a web server. In reality, a web application typically consists of both a browser part and a server part. The client password could be stored on the server. The password would thus be confidential. USER_AGENT. A user agent application is for instance a JavaScript application running in a browser. The browser is the user agent. A user agent application may be stored on a web server, but the application is only running in the user agent once downloaded. NATIVE. A native application is for instance a desktop application or a mobile phone application. Native applications are typically installed on the users computer or device (phone, tablet etc.). Thus, the client password will be stored on the users computer or device too. Token lifetime. Specify the token lifetime in seconds for which the token is active Token refresh limit. Specify the number of times you can use the refresh token to get a new access token. Redirect URIs. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add. Grant type. Specify the grant type to be used to generate the credentials. Available options can be authorization_code, password, client_credentials, refresh_token, and implicit, which are dynamically populated from the authorization server. For example, if the authorization server does not support client credentials, the option is not available in the options list. Scopes. Select the scopes that are to mapped for the authentication strategy. Note: in API Gateway 10.2, the scopes are automatically created when you associate an API to an application. From API Gateway 10.3 onwards you have to select scopes from the authorization server that have to be associated with the strategy. |
Client id | Specify the Client identifier for a client application available in the authorization server that identifies the client application in the authorization server to map the client to the API Gateway application. This is required if you have a client application available in the authorization server and do not want to dynamically create a client. |
Field | Description |
Name | Provide the name for the strategy. |
Description | Provide a description to describe the strategy. |
Authentication server | Specify the authentication server. The possible values are local, which is the default server or any other configured external authorization server. |
HMAC algorithm | Select if the authorization server is returning a JWT with HMAC algorithm and provide the shared secret value to validate the JWT. |
Field | Description |
Name | Provide the name for the strategy. |
Description | Provide a description to describe the strategy. |
Authentication server | Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server. |
Generate Credentials | Enable the toggle button to generate the credentials required to identify the client application and provide the following information: Type. Select the client type, Public or Confidential Confidential. A confidential client is an application that is capable of keeping a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server, to avoid fraud. An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password. Public. A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application that has the client password embedded inside it. Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the client password. Application type. Specify the application type. WEB. A web application is an application running on a web server. In reality, a web application typically consists of both a browser part and a server part. The client password could be stored on the server. The password would thus be confidential. USER_AGENT. A user agent application is for instance a JavaScript application running in a browser. The browser is the user agent. A user agent application may be stored on a web server, but the application is only running in the user agent once downloaded. NATIVE. A native application is for instance a desktop application or a mobile phone application. Native applications are typically installed on the users computer or device (phone, tablet etc.). Thus, the client password will be stored on the users computer or device too. Token lifetime. Specify the token lifetime in seconds for which the token is active Token refresh limit. Specify the time in seconds for which the token refresh is applicable Redirect URIs. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add. Grant type. Specify the grant type to be used to generate the credentials. Available options are Authorization code, Implicit, Resource owner, Client credentials. Scopes. Select the scopes that are to be associated to the generated client. Note: in API Gateway 10.2, the scopes are automatically created when you associate an API to an application. From API Gateway 10.3 onwards you have to select scopes from the authorization server that have to be associated with the strategy. |
Client id | Specify the Client identifier that identifies the client application in the authorization server to map the client to the API Gateway application. This is required if you do not choose to generate credentials to identify the client application. |