Layer7 API Management

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data. 

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response. 
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent..... 
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen. 
Is it possible?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

If you don't need to have user interaction or a third party client involved you can use Resource owner Password grant flow directly at the token server to do what you are looking for. since your client is already handling the users credentials  this does not require any redirects or user involvement you can pass the user credentials and other parameters to /auth/oauth/v2/token with a grant_type of password to obtain tokens. 

Original Message:
Sent: 04-08-2020 01:52 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen.
Is it possible?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

Ok, understood. so OTK will make a call to only token endpoint.
I have external IDP which does not support LDAP or any other IDP protocols which are supported by GW. It is simply a REST API Call. So can I configure REST API service in OTK for password grant type or I need LDAP IDP to do the same ?

Based on response from this external IDP, gateway will have to generate access and id tokens. 

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 04-08-2020 09:48 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

If you don't need to have user interaction or a third party client involved you can use Resource owner Password grant flow directly at the token server to do what you are looking for. since your client is already handling the users credentials  this does not require any redirects or user involvement you can pass the user credentials and other parameters to /auth/oauth/v2/token with a grant_type of password to obtain tokens.

Original Message:
Sent: 04-08-2020 01:52 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen.
Is it possible?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 04-08-2020 10:16 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Ok, understood. so OTK will make a call to only token endpoint.
I have external IDP which does not support LDAP or any other IDP protocols which are supported by GW. It is simply a REST API Call. So can I configure REST API service in OTK for password grant type or I need LDAP IDP to do the same ?

Based on response from this external IDP, gateway will have to generate access and id tokens.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-08-2020 09:48 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

If you don't need to have user interaction or a third party client involved you can use Resource owner Password grant flow directly at the token server to do what you are looking for. since your client is already handling the users credentials  this does not require any redirects or user involvement you can pass the user credentials and other parameters to /auth/oauth/v2/token with a grant_type of password to obtain tokens.

Original Message:
Sent: 04-08-2020 01:52 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen.
Is it possible?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

Hello Sid, thanks for your reply. 
What about policy-backed Identity provider ? can we use that to call REST API service and utilize it in OTK as an authentication idp?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 04-16-2020 12:54 AM
From: Shidharth Jaiswal
Subject: exter authentication server for OIDC and OAuth2.0

Hi Sachin,

Below are the points you can/should consider in your scenario :

1 : Use of Password grant type.

--- In coming versions of oAuth (oAuth 2.1), this grant type may get deprecated. You may consider the other more secure grant types. It is an architectural and product agnostic recommendation. You may refer to the first draft of oAuth 2.1, which has been released very recently, here ( https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01). It will provide you future guidance as an architect. 

2 : Use of Custom identity provider for authentication.

--- Capabilities to support custom authentication mechanism with OTK is listed here (https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/configure-authentication/support-optional-authentication-mechanisms.html).

3 : Use of REST API for user authentication during oAuth flow.

--- The documentation does not list it as an out of box capability while providing details about custom authentication mechanisms with OTK. Some customization to the toolkit are permitted and listed here (https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit.html). 

--  I would recommend going with the standard way which will help you in future maintainability a lot. Also, a lot of customization (which is not listed in the document) may compromise the level of security which is required by the framework and built in the product.

Thanks,
Sid

Original Message:
Sent: 04-08-2020 10:16 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Ok, understood. so OTK will make a call to only token endpoint.
I have external IDP which does not support LDAP or any other IDP protocols which are supported by GW. It is simply a REST API Call. So can I configure REST API service in OTK for password grant type or I need LDAP IDP to do the same ?

Based on response from this external IDP, gateway will have to generate access and id tokens.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-08-2020 09:48 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

If you don't need to have user interaction or a third party client involved you can use Resource owner Password grant flow directly at the token server to do what you are looking for. since your client is already handling the users credentials  this does not require any redirects or user involvement you can pass the user credentials and other parameters to /auth/oauth/v2/token with a grant_type of password to obtain tokens.

Original Message:
Sent: 04-08-2020 01:52 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen.
Is it possible?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------

 policy-backed Identity provider takes in 2 parameter ${idp.user} and ${idp.password} and returns either success or failure
You can build you own rest API service call taking input parameter as ${idp.user} and ${idp.password} , perform your API call on success do nothing on failure stop processing.

This will provide you the same functionality as authenticating against a REST IDP client. However, the limitation is you cannot custom output any parameter except a successful or failed authentication.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/security-configuration-in-policy-manager/identity-providers/policy-backed-identity-providers.html



Steps:
1. Create and Policy Backed IDP service 
2. Add It to IDP Provider
3. In the Policy
3.1 Validate ($idp parameter are not empty)
3.2 Use Oauth 2.0 assertion to do a rest call to validate the user IDP details
3.3 On Success Continue Processing
3.4 On Failure Stop Processing
4. Test it using Authentication against idp assertion
4.1. You will get a success or a failure 




------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 04-20-2020 12:37 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Hello Sid, thanks for your reply.
What about policy-backed Identity provider ? can we use that to call REST API service and utilize it in OTK as an authentication idp?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-16-2020 12:54 AM
From: Shidharth Jaiswal
Subject: exter authentication server for OIDC and OAuth2.0

Hi Sachin,

Below are the points you can/should consider in your scenario :

1 : Use of Password grant type.

--- In coming versions of oAuth (oAuth 2.1), this grant type may get deprecated. You may consider the other more secure grant types. It is an architectural and product agnostic recommendation. You may refer to the first draft of oAuth 2.1, which has been released very recently, here ( https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01). It will provide you future guidance as an architect. 

2 : Use of Custom identity provider for authentication.

--- Capabilities to support custom authentication mechanism with OTK is listed here (https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/configure-authentication/support-optional-authentication-mechanisms.html).

3 : Use of REST API for user authentication during oAuth flow.

--- The documentation does not list it as an out of box capability while providing details about custom authentication mechanisms with OTK. Some customization to the toolkit are permitted and listed here (https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit.html). 

--  I would recommend going with the standard way which will help you in future maintainability a lot. Also, a lot of customization (which is not listed in the document) may compromise the level of security which is required by the framework and built in the product.

Thanks,
Sid

Original Message:
Sent: 04-08-2020 10:16 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Ok, understood. so OTK will make a call to only token endpoint.
I have external IDP which does not support LDAP or any other IDP protocols which are supported by GW. It is simply a REST API Call. So can I configure REST API service in OTK for password grant type or I need LDAP IDP to do the same ?

Based on response from this external IDP, gateway will have to generate access and id tokens.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-08-2020 09:48 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

If you don't need to have user interaction or a third party client involved you can use Resource owner Password grant flow directly at the token server to do what you are looking for. since your client is already handling the users credentials  this does not require any redirects or user involvement you can pass the user credentials and other parameters to /auth/oauth/v2/token with a grant_type of password to obtain tokens.

Original Message:
Sent: 04-08-2020 01:52 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

I will pass user credentials during authorization endpoint call. then extract these credentials and add as parameters to login url. now login url will be simple rest api call to my external login server without login screen.
Is it possible?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 04-07-2020 10:55 AM
From: BARRY STERN
Subject: exter authentication server for OIDC and OAuth2.0

How are collecting the user's credentials if you are looking to bypass prompting for them? 
Original Message:
Sent: 04-07-2020 03:42 AM
From: Sachin Ghumbre
Subject: exter authentication server for OIDC and OAuth2.0

Here is my scenario,

1. We have our own login server without login screen. It supports REST API call. consumer application can make rest api call with username and password to this login server and it responds with success or failure with other data.

2. CA Gateway OIDC/oauth flow implementation (e.g. auth code, implicit or password grant types): during authentication, login screen (auth/oauth/v2/authorize/login)  will be populated to mention user credentials. after this consent screen is populated based on successful response.
My requirement is, instead of populating login screen, simply make a REST api call (as per point 1) to my own external login REST api, and if return successful msg with some other data, GW should proceed with next flow like consent.....
Is it possible that I can simply remove this (auth/oauth/v2/authorize/login) login url with my login server url (like mydomain:port/path/login?username=username&password=password) ? and then oauth and oidc flow works fine

------------------------------
Technology Lead
Infosys Limited
------------------------------