APIM Team, In API Manager it seems like if we check the option to secure APIs using Mutual TLS security AND OAuth2 security for APIs, API Manager checks if either of the mechanisms are in place. There is no way to enforce both on an API. There are good number of customers who want to enforce both at the same time for APIs, for additional security. Naturally Mutual TLS is more secure than OAuth2 tokens, however for throttling and analytics to work we need to enforce OAuth2 as well. Otherwise customers could bypass throttling and analytics.
I would have thought ticking both checkboxes means both have to be enforced. Isn't that a more reasonable behavior? Can we support both 'AND' and 'OR'? Thanks & Regards, Johann. -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
