An Introspection Tale involving IBM API Connect and an external Authorization Server

Figure 1: Typical OAuth2 Interaction — Client, Resource Server, and Authorization Server
  • Client does not send a client_id to the resource server during an API request
  • Access Token is Opaque/reference Token ( This is not uncommon even today as some of the specifications such as Financial API (FAPI) Read-Only API Security Profile states this requirement for an Auth Server: The Authorization Server shall provide opaque non-guessable access tokens with a minimum of 128 bits … as per [RFC6749] section 10.10;)
  • IBM API Connect (hereinafter referred to as APIc) acts as the resource server
Figure 2: client_id not sent by the client makes the flow stop at API Client identification step
  • The API Client sends the Access Token to APIc
  • APIc looks at request to see where this request should be routed (Step 1 in Figure 3 )
  • Once APIc has determined where this request should be routed to, it performs CORS check (Step 2 in Figure 3)
  • APIc wants to perform client authentication and it attempts to look at the client_id in the X-IBM-Client-Id header (Step 3 in Figure 3)
Figure 3: IBM APIc v2018 — API request processing flow
Figure 4: Intercepting request processing flow to inject client_id
Figure 5: Option#3 Proxy API Layer


OAuth2 has progressed a lot from its initial days when we needed hordes of security geeks to help implement a good, working solution. However, even in 2020, there are still a few things that surprise us on and off when we work with different combinations of Authorization and Resource Servers. Though the options presented in this article are not the only solutions, they represent the typical high-level patterns that form the basis of various solutions



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Manglu Balasubramanian

Manglu Balasubramanian

CDR/Open Banking Solution architect working with one of the large Australian banks. Skilled in general solution architecture and early adopter of technology