What is the best way to implement OAuth for mobile app using CA API Gateway without user interaction?Any documents or input needed?
The best solution would be our CA Mobile API Gateway (MAG), which I assume you do not have as you haven't mentioned it. The MAG would drastically reduce the complexity by providing SDKs with easy to use methods.
Assuming that by "user interaction" you meant things such as authentication, then I'd start looking at the OAuth client_credentials grant type here: OAuth Request Scenarios - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation
Of course that you would need a 3rd party library/framework to act as your OAuth client, plus you want to make sure the OAuth client information and tokens are secure on the mobile device.
Thanks for your answer.The real problem we are facing is Client is sending the payload as JWT with RS 256 signing algorithm and private key shared by us.So the mobile app generates JWT and sends it to CA Gateway where gateway needs to validate and provide the access token.But when we tried gateway is not at all accepting jwt signed by the other apps.It is only recognizing the JWT signed by itself.So what would be the best solution in this scenario.The main issue is we can't change anything from Mobile App side.
This can be done by implementing a custom grant type logic. the out of box OTK logic for urn:ietf:params:oauth:grant-type:jwt-bearer will always fail if the JWT is not a id_token generated by the gateway as the id_token validation fails to find the token in the token store.
To allow third party JWT to be used to issue new access tokens you would treat this as a custom grant type and add logic to validate the JWT. Even after the default JWT validation fails the policy continues verification against other grant types and it you configure your own custom grant_type it will try the custom grant type which you can configure to decode the JWT and validate the claims.
You can follow the process here Support Custom Grant Types - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation
The best thing to do is create your own extension grant type for this but if your custom grant type logic looks for the same urn:ietf:params:oauth:grant-type:jwt-bearer grant type the custom logic will be executed if the OOB does not work.
Were you able to resolve the issue? What was the final result?
Stephen HughesBroadcom Support