We have created an OAuth API which generates the OAuth tokens with below steps -
- Created API Definition and security policy as defined here
- Create OAuth client by giving client_id, policy_id and redirect_uri.
- Triggered the call to generate token successfully.
- Used that token to call another API successful. This API and token API are added in the same security policy.
We want to have only one API which generates the OAuth tokens and with this token consumer should be able to call multiple APIs.
For this to work we need to add all the APIs in the same security policy. When a OAuth client is create then it will have access to all the APIs present in that security policy.
How can we restrict consumer to call only few APIs and not all of them?
For example while creating a Key we can specify the api_ids as an arrays and using that key consumer will have access to only those APIs.
How can we achieve the same if consumer is using OAuth tokens without creating multiple OAuth /token endpoints?