We have a requirement, where organization wants to use only #oauth2.0 feature of APIGW as standalone product i.e. APIs are not going to be exposed through Gateway but some other server; however it needs to be secured with oAuth component (#otk 3.2 add-on), which is installed in our gateway. Is it possible?
My understanding is that oAuth add on with API GW can be used only to secure the APIs, which are being exposed through Gateway because its assertion will be used in API policy. Please let me know if otherwise.
As per my understanding, OTK is actually an implementation of Oauth on gateway.
ie. They are gateway policies. They are working as oauth server, they can be used to protect APIs, no matter the API is on gateway or on a remote server.
To use it to protect a resource, the resource needs to register as oauth client on /oauth/manager. And your client needs to be able to access the oauth server(ie. the gateway server) to retrieve oauth token. The service provider may also need to access the oauth server to validate the token.
The OTK provide oauth endpoints needed for a complete oauth flow. APIs - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation
Thanks for the response. Can you please explain the steps to achieve this. Usually we use "OTK Requires oAuth2.0 Token" assertion when want to force oAuth authorization to API. How it will be possible if API policies are not on Gateway itself?
If you use gateway assertions, then of cause you need to do it on gateway. And that's the advantage of gateway, as so many things have done for you by assertions.
If you don't do it on gateway, then you do it yourself on your server -- extra code on your server to force oauth authorization. Just need to follow the oauth specifications, such as, RFC 6749 - The OAuth 2.0 Authorization Framework .