In modern cloud-native architectures, APIs are the backbone of integration, data exchange, and application extensibility. However, as APIs proliferate, the complexity of securing, routing, scaling, authenticating, and managing them increases dramatically. Oracle Cloud Infrastructure (OCI) API Gateway is designed to address these challenges by providing a centralized, secure, scalable, and extensible platform for API traffic management.
This blog combines lessons from real customer scenarios and expert Oracle architects to show how you can use API Gateway – together with custom authorizer functions, scopes, token caching, and legacy client support – to build robust API services that integrate with OIC.
Core Capabilities of OCI API Gateway
OCI API Gateway acts as a secure proxy for API consumers accessing backend services, whether those services are Oracle Integration Cloud (OIC), Compute, Load Balancers, Functions, Autonomous Database, SaaS endpoints, or third-party services. It provides:
- Secure entry point with TLS enforcement, authentication, and authorization
- Routing and path based backends for REST APIs
- Transformation policies to modify headers and bodies
- Rate limiting and security policies to protect backend systems
- Integration with OAuth2 / JWT / IAM tokens to enforce access control
This unified gateway enables a consistent API surface for consumers while encapsulating security and governance.
1. Secure Backend Calls Using Token Caching
Problem
When external applications call OIC APIs, they require an OCI IAM OAuth token. If they generate a new token for every request, it can add latency and increase OCI IAM token costs, especially in high-volume scenarios (such as retail or logistics). That can lead to:
- Excessive IAM calls
- Authentication latency
- Potential throttling from IAM servers
Solution
Use OCI API Gateway together with a custom Authorizer Function (OCI Functions) to handle authentication efficiently. The authorizer extracts credentials from incoming requests and first checks for a cached OCI IAM token. If a valid token is already available, it is reused; otherwise, the function makes a single call to OCI IAM to fetch a new token. The token is then stored in memory until it expires and is returned to the API Gateway, which uses it to securely invoke the backend services. This approach minimizes repeated IAM calls while maintaining strong security controls.
This drastically reduces IAM endpoint calls and improves performance while keeping security intact.
▶ Real-World Impact: Retail applications handling hundreds of requests per second benefit from lower auth latency and avoid unnecessary IAM load.
2. Fine-Grained Access Control with Custom Scopes
Authentication alone isn’t enough – authorization ensures that only the right users get access to specific APIs.
Challenge
Different teams (e.g., Finance vs HR) might need distinct access rights to the same OIC API endpoints.
Approach
- Define custom OAuth scopes for resource servers in OCI IAM
- Assign scopes like
oic_api_HR,oic_api_ITto team apps - Gateway authorizer function validates the incoming token’s scope
- API Gateway enforces that only clients with correct scopes can reach backend integrations
This pattern enables team-based or role-based access control, ensuring that only appropriately scoped tokens are allowed to invoke certain routes.
▶ If the scope doesn’t match the required API route, the gateway returns a “Not Found” or “Unauthorized” response.
3. Support Clients Without SCOPE
Not all clients can send OAuth scopes – especially legacy systems. While the OAuth standard considers scopes optional, OCI IAM requires them for token issuance with client credentials. This leads to errors like:
400 – invalid_scope
Required scope missing
Rather than altering clients, which can be costly or impossible, we can shift scope handling into infrastructure:
Solution Pattern
- Client sends simple
Authorization: Basic <client_id:client_secret> - API Gateway forwards to a custom authorizer function
- The function injects the required OIC scope internally
- It fetches a correct IAM token on behalf of clients
- The token is validated and used for secured API routing
This approach:
✔ Lets legacy clients continue unchanged
✔ Ensures secure IAM-based tokens are used
✔ Avoids forcing clients to understand or construct scopes
and introduces a token broker-like pattern at the gateway level.
4. Swap Enterprise IDP Token to obtain OCI Identity domain token for OIC
Most enterprises rarely rely on an enterprise Identity provider. Many use Microsoft Entra ID as their corporate identity platform and want to extend the same authentication and access controls to cloud integrations exposed through Oracle Integration Cloud.
API Gateway + OCI Functions can help in exchanging token, allowing enterprises to reuse existing corporate identities.
Approach
OCI API Gateway acts as the identity bridge between Microsoft Entra ID and OIC:
- Microsoft Entra ID issues OAuth2/JWT tokens after user authentication
- API Gateway:
– Validates Entra ID–issued JWT tokens
– Verifies issuer, audience - A custom authorizer function:
– Extracts Entra ID auth context (UPN, Token validity)
– Requests for an OCI IAM backend token using jwt-assertion grant type for the UPN - API Gateway does the header transformation and then invokes the actual backend endpoint, which is the Oracle Integration flow.
This pattern ensures OIC APIs are enterprise-ready, while identity governance remains with Microsoft Entra ID. Organizations with hybrid or multi-cloud environments can secure OIC APIs without modifying backend integrations and maintain consistent access controls across Azure and OCI
Conclusion
The synergy between OCI API Gateway, OCI Functions, and Oracle Integration Cloud empowers enterprises to expose API endpoints that are not just functional, but:
✔ Secure — centralized authentication & authorization
✔ Efficient — reduced backend overhead and latency
✔ Scalable — fit for modern, high-volume applications
✔ Flexible — support both modern and legacy clients
Whether you’re modernizing legacy systems, building secure B2B APIs, or managing multi-team access policies, the patterns covered here provide a proven roadmap for secure, performant API ecosystems on OCI.
Related Links
- Secure backend calls with token caching – https://www.ateam-oracle.com/optimizing-backend-calls-caching-oci-iam-tokens-in-api-gateway-custom-authorizer-functions
- Fine-Grained Access control with custom scopes – https://www.ateam-oracle.com/use-custom-scopes-to-restrict-access-to-oic-rest-endpoints-with-oci-iam-and-api-gateway
- Support Clients without SCOPE – https://www.ateam-oracle.com/securing-oic-apis-for-legacy-clients-using-oauth-without-scopes
- Swap Enterprise IDP token to obtain OCI Identity domain token for OIC – https://docs.oracle.com/en/learn/oracle-integration-msentraid/#introduction