Hi @mofarhan,
As you said this can be easily achievable using OAuth scope.
The other option i could think of is to create the scope for each resources .
Under each scope use the identify and authorize policy.
Under authorize policy we should use API key and header name to authenticate the request.
In my use case i created an application and inside the application we have 2 headers one for each resource.
And now when i am invoking the request I am passing the header also apart from API key.
And this should get validated.
I am attaching the sample API along with application for you reference.
WorkflowAPI.zip (13.3 KB)
WorkFlowApplication.zip (12.7 KB)
Curl command used for testing the API:
curl --location --request POST ‘http://replaceWithTenantName/gateway/WorkflowAPI/1.0/2mEU92D7mY’ \
–header ‘Content-Type: application/json’ \
–header ‘Accept: application/json’ \
–header 'x-Gateway-APIKey: c31bc8ba-1299-4034-badf-1c118abaa786 ’ \
–header ‘CustomerResourceID: 11223344’
Let me know if this solves your usecase problem.
Regards
Vikash Sharma
#authorization#REST#apigateway#authentication#webMethods#API