Layer7 API Management

 View Only
  • 1.  Gateway as a OAuth2.0 Client

    Posted Aug 31, 2017 01:32 PM



    I want to mimic API Gateway as a client OAuth2.0 means gateway will act as a client to third part OAuth2.0 server.

    Kindly let me know what should be taken care in gateway to avoid issues and how to store access_token,refresh _token and code to access further third part API calls.


    Thanks in advance,




  • 2.  Re: Gateway as a OAuth2.0 Client
    Best Answer

    Broadcom Employee
    Posted Sep 11, 2017 10:25 PM

    Dear saisuneel ,

    You can use "Retrieve OAuth 2.0 Token Assertion", Retrieve OAuth 2.0 Token Assertion - CA API Management OAuth Toolkit - 3.1 - CA Technologies Documentation 


    If you have MAG installed, there are policy examples such as "google oauth 2.0 client", or facebook client etc.


    gateway is supposed to be stateless, we don't recommend to persist the tokens. Usually gateway is not the real oauth client, there should be a real client you can return the token to. If you have to, you can persist the tokens to database (via jdbc), or remote cache.




  • 3.  RE: Re: Gateway as a OAuth2.0 Client

    Posted Nov 10, 2021 09:22 PM
    Hi @Zhijun He,

    I found that there is no "Retrieve OAuth 2.0 Token Assertion" assertion but I have already installed OAuth Tookit 3.6. May I know how can I add it to my api gateway?
    Thank you very much!