API GATEWAY - AUTHORIZATION

Request Routing

# Flow Description
1 API Endpoint Identification The API Gateway will identify which API and endpoint matches the request.
A 404 (Not Found) will be returned if no endpoint can be identified.
2 Subscriptions For Application or User restricted endpoints, the API Gateway will validate that the application is subscribed to the API.
3 Authorization For an Application-restricted endpoint, the API Gateway will validate that the server token is valid.
For a User-restricted endpoint, the API Gateway will validate that the token is valid and that it contains the scope required by the endpoint.
4 Rate Throttling The API Gateway will validate that the application did not reach yet its threshold of the number of calls authorized.
A 429 (Too Many Requests) will be returned in the event it has.
5 Proxy If all the validations above are successful, the request will then be proxied to its end service.
When the token used in the header is a Sandbox token, this will be to the Sandbox endpoint.
Otherwise, it will be to the live endpoint.

Authorization Type

Type Description
User The endpoints which are secured by a User authorisation require an Oauth 2.0 user token.
Those endpoints are user-centrics. They will returns some user data and need the approval of the user.
The endpoint is mapped to a scope for which the user will need to grant the application access to. The token is created using the authorization_code grant type from the RFC 6749.
When the user is prompted to give access to an application to act on his behalf, a list of scopes will be rendered on the grant page.
Application The endpoints which are secured by an Application authorisation require a server token.
When an endpoint do not return any user data and require resources to compute the requests you want to protect the endpoint by an Application restriction.
The endpoint will benefit from the throttling of the API Gateway.
A server token is associated to an application and will be given to the developer when he registers its application.
None Those endpoints do not need any authentication.
No Authorization header is required in the API request.