Should Api Managers deal with backend authentication in place of the subscriber?

Question

We currently use WSO2 Api Manager to reach some backends. The thing is, the consumer must :

1. First authenticate to the API Manager (Oauth)
2. Then authenticate to the Backend api (Whatever security in place, as options provided by API Manager to handle it itself is quite poor)
3. Make the call

I find it heavy :

• Many calls just to do one real call.
• Loose the "loose coupling" advantage API Managers should provide

Do you think we are doing right ? Shouldn't Api Managers deal with backend authentication ?

Thanks in advance for your help !

Answer 1

This depends on how you want to do this. It is not mandatory to have Oauth2 protection and backend authentication. This can be done in the following ways.

1. If you want only to allow backend authentication

Then you can set the Authentication type to None. Then Oauth2 won't apply. - https://wso2.com/blogs/cloud/oauth-and-authentication-type-application-vs-application-user/

2. You can allow Oauth2 only

If your backend is insecure and needs a way to expose, this is the best option.

3. If you need both authentications

There can be some cases that your backend is used by some other parties and there is no option to remove backend authentication. Also, you need the Oauth2 protection for the API and make it secure in API gateway level. Then this is the option.

Hope this is clear. WSO2 has these capabilities and you can chose any option.