Layer7 API Management

Expand all | Collapse all

Best practice Oauth with sandbox vs production

Jump to Best Answer
  • 1.  Best practice Oauth with sandbox vs production

    Posted 12-13-2017 09:45 AM

    Hi all,


    Does anyone of you have a best practice with protecting resources with Oauth2 on the gateway with OTK with a sandbox mode and a production mode. This is where the client application is allowed to use a sandbox url, but only after approvement allowed to use the production url (or with the same url, but different backend routing)?


    We don't want to achieve this with scopes. The client side should not have to change anything. The approvement process result in registration something (client registration in OTK db?) which we could test on in the proxy. Is there any other means you might know of which is pretty standard for this?


    It is a bit like this scenario: Sandbox Mode • Instagram Developer Documentation 


    (using OTK 3.1.2 at the moment)





  • 2.  Re: Best practice Oauth with sandbox vs production
    Best Answer

    Posted 12-18-2018 06:07 PM

    Hello Remco!


    In OTK, when registering a client, you can specify the 'Environment' which could say 'sandbox' or 'production'. On a gateway, you would look up that detail either before issuing an access_token (and remember the value as part of the session) or on protected APIs. Based on the value you can either accept or deny or re-route a request, whatever fits your use case.


    In addition, you could register a JSON message in the 'client custom field'. Based on that you would make decisions at runtime.


    In no case is there a need for changing the client.


    I hope this helps,


  • 3.  Re: Best practice Oauth with sandbox vs production

    Posted 12-19-2018 03:54 AM

    Thanks Sascha,


    This is a really simple solution!