You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Out-of-box from the API Publisher you can directly authenticate with the backend using Basic authentication (username and password)
Do you know if there is another way to do this without using the API Publisher ?
well - the Publisher app is always involved
I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token)
There are multiple ways how to authenticate with the backend, not all are so straightforward
- Basic authentication (this is what you don't want)
- JWT token - the API Manager is able to send a signed JWT token with the API calls to the backend and the backend service could authenticate and extract client details from the JWT token.
- Using the inbound mediation configuration you could manipulate the request payload and metadata
With the point 3 you should be able to send a custom OAuth/Authorization header. The question is - with what identity provider your service is authenticating/authorizing?
The problem is that there's no unified configuration how your service's client (API manager calling the backend) would fetch / cache / refresh / revoke the token which would work with all possible identity providers.
In theory you could implement the OAuth authentication with external IdP using the inbound mediations (sequences), but I strongly urge do not put anything complex as API mediation for sake of maintainability (been there, done that, screw it badly)
Maybe the simplest option would be having a permanent token you could pass in the HTTP headers, it sounds simple enough.