Layer7 API Management

Expand all | Collapse all

OAuth2.0 API Gateway: user authentication methotds

Jump to Best Answer
  • 1.  OAuth2.0 API Gateway: user authentication methotds

    Posted 01-10-2017 10:28 AM

    Hi all,
    we are implementing OAuth2.0 with API Gateway. In our scenario API Gateway will act as

    • Authorization Server
    • Resource Server because it will expose protected API

    A 3rd party external application could invoke and consume protected API acting as OAuth2.0 Client.


    During authorization consent the Resoruce Owenr (the user) must be authenticated from the Authorization Server. How the authentication process occurs is not in scope of OAuth2.0 specification.
    By defautl API Gateway can authenticate Resource Owners with username and password; futhermore API Gateway can delegate the authentication to SiteMinder.

    In this case SiteMinder will validate the username and password provided by the Resource Owner against the user directory configured.


    Our question is: can the user be authenticated using other mechnisms (i.e. NTML)? If yes can anyone provide any hint (or samples) in order to properly configure API Gateway policies?


    Thnaks in advance,

  • 2.  Re: OAuth2.0 API Gateway: user authentication methotds
    Best Answer

    Posted 01-10-2017 11:34 AM

    Hi Daniele,

    Currently we support the below authentication mechanisms.

    Using the Custom Identity Provider you can configure NTLM, Step 5: NTLM Configuration


  • 3.  Re: OAuth2.0 API Gateway: user authentication methotds

    Posted 01-11-2017 01:22 PM


    first of all thanks for your reply.


    Reading the documentation you provided about NTLM, I understood that in this scenario, the NTML authentication would be performed by API Gateway.


    In case we would leverage SiteMinder also for OAuth 2.0 authentication process, is the following high-level approach feasible in your opinion?

    1. when needed the OAuth Client redirect the user to authenticate. The user will be redirected to the "/auth/oauth/v2/authorize" endpoint but it will be protected by SiteMinder.

    2. SiteMinder will authenticate the user and will generate SMSESSION cookie.

    3. The /auth/oauth/v2/authorize endpoint will leverage SMSESSION cookie to consider the user authenticated 


    Does anyone have any suggestion about?