Does anyone of you have a best practice with protecting resources with Oauth2 on the gateway with OTK with a sandbox mode and a production mode. This is where the client application is allowed to use a sandbox url, but only after approvement allowed to use the production url (or with the same url, but different backend routing)?
We don't want to achieve this with scopes. The client side should not have to change anything. The approvement process result in registration something (client registration in OTK db?) which we could test on in the proxy. Is there any other means you might know of which is pretty standard for this?
It is a bit like this scenario: Sandbox Mode • Instagram Developer Documentation
(using OTK 3.1.2 at the moment)
In OTK, when registering a client, you can specify the 'Environment' which could say 'sandbox' or 'production'. On a gateway, you would look up that detail either before issuing an access_token (and remember the value as part of the session) or on protected APIs. Based on the value you can either accept or deny or re-route a request, whatever fits your use case.
In addition, you could register a JSON message in the 'client custom field'. Based on that you would make decisions at runtime.
In no case is there a need for changing the client.
I hope this helps,
This is a really simple solution!