API Security: Authentication and Authorization
A common API Management use case is that an API should not be accessible to anyone, but only to authorized users. To secure your REST APIs, we recommend to use the Keycloak OAuth policy for user authentication. If additional user authorization (with roles) is required, we recomment to extend your setup with the Authorization policy.
Keycloak OAuth: Use this policy to secure your API via Keycloak. This Keycloak-specific OAuth2 policy should be your first choice to secure an API in the PAS environment.
Refer to Authentication With Keycloak OAuth for details.Authorization: Use this policy in addition to Keycloak OAuth or Basic Auth to control precisely who is allowed to access the API.
Refer to Additional Authorization for details.
Important Information
All authorization headers are validated when a request is received. By default, this validation occurs against the JSON Web Key Set (JWKS) of our built-in Identity Management (Keycloak). If you send requests from an external application with tokens not issued by Scheer PAS, this validation will fail. In such cases, please contact our support team to adjust your system configuration (JWT issuer settings).