Adding Authentication and Authorization to API Deployments
You can control access to APIs you deploy to API gateways based on the API client sending a request, and define what it is that they are allowed to do. For the APIs you deploy, you'll typically provide:
- Authentication functionality to determine an API client's identity. Is the API client really who they claim to be?
- Authorization functionality to determine appropriate access for an API client, and grant the necessary permissions. What is the API client allowed to do?
You can add authentication and authorization functionality to API gateways to support:
- HTTP Basic Authentication
- API Key Authentication
- OAuth Authentication and Authorization
- Oracle Identity Cloud Service (IDCS) Authentication
You can add authentication and authorization functionality to an API gateway as follows:
- You can have the API gateway pass a multi-argument or single-argument access token included in a request to an authorizer function deployed on OCI Functions to perform validation (see Using Authorizer Functions to Add Authentication and Authorization to API Deployments).
- You can have the API gateway itself validate a JSON Web Token (JWT) included in the request with an identity provider (see Using JSON Web Tokens (JWTs) to Add Authentication and Authorization to API Deployments).
For convenience, these different types of authentication and authorization functionality are referred to as 'authentication servers'. You can set up multiple authentication servers for the same API deployment. The authentication servers you set up can be of the same type or a different type. Setting up multiple authentication servers for the same API deployment enables a request to be dynamically routed to the correct authentication server based on an element in the request. For more information, see Adding Multiple Authentication Servers to the same API Deployment