Layer7 API Management

Expand all | Collapse all

Can "OTK Generate OAuth Token" Assertion be used in normal web API

Jump to Best Answer
  • 1.  Can "OTK Generate OAuth Token" Assertion be used in normal web API

    Posted 07-17-2017 08:09 AM

    We have a requirement to issue an access token after doing authentication with custom set of ruled. I have built an API that does the performs the required authentication. Now i need to issue a token and send the response. As of now i am calling the available OAuth endpoint "https://localhost:443/auth/oauth/v2/token" from the policy internally and sending the response of that to the consumer . I think this will add some amount of latency.  Instead of doing so 

    Can i make use of "OTK Generate OAuth Token" Assertion to generate the token and form the response? What is the best way to do it?



  • 2.  Re: Can "OTK Generate OAuth Token" Assertion be used in normal web API

    Posted 07-26-2017 06:35 AM

    Please let me know if any one has suggestions on this



  • 3.  Re: Can "OTK Generate OAuth Token" Assertion be used in normal web API
    Best Answer

    Posted 07-26-2017 11:22 AM

    The "OTK Generate Oauth Token" does not actually generate a valid token that is usable, all that EA does is initialize the uuid for the token and the refresh token. It does not  persist the token to the token store for usage. 

     

    What are the  requirements for authentication that you are not able to account for within the OTK User Autherntications policies allowing you to use the /auth/ouath/v2/token endpoint directly?



  • 4.  Re: Can "OTK Generate OAuth Token" Assertion be used in normal web API

    Posted 07-26-2017 01:22 PM

    Hi Barry.. 

    We do use the oauth/v2/token endpoint for most of the APIs. 

    But in one of the case consumer gets the token from a external system  and passes it in header.  We are trying to validate that token by connecting to the external system via API and if it's validated then issue a token.



  • 5.  Re: Can "OTK Generate OAuth Token" Assertion be used in normal web API

    Posted 07-26-2017 04:26 PM

    Hello,

     

    In that case one option I would explore is to use a custom grant type and embed the logic to validate the third party token in the custom grant type policy.

     

    This is documentation on configuring custom grant_types 

    Support Custom Grant Types - CA API Management OAuth Toolkit - 4.0 - CA Technologies Documentation 

     

    this documentation also shows how you can use the "OTK Token Storage (access_token, refresh_token)" assertion to persist a new token and then return it.