Layer7 API Management

  • Private Community
 View Only

  • 1.  Can I do token exchange in the gateway

    Posted Jun 04, 2020 02:23 PM

    I have a use case where backend services want to call other microservices with JWT tokes issued by the gateway

    https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#appendix-A.1.1

    Microsoft has a nice breakdown

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow



    ------------------------------
    API Tech Lead
    Sanlam
    ------------------------------


  • 2.  RE: Can I do token exchange in the gateway
    Best Answer

    Broadcom Employee
    Posted Jun 10, 2020 01:54 PM
    Hello Evan,

    Not 100 percent sure what you are asking here.  But the Gateway does have an add on Oath Toolkit that can be used to accomplish the items outlined in the Microsoft doc you posted.  If you are looking to take advantage of the Gateway OTK, I would reach out to your account director to have this toolkit added to your available products. 

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/install-configure-upgrade/configure-a-gateway-cluster/configuring-subsequent-processing-nodes.html#concept.dita_42196e00000e91cd760a24c1a6d5d462a05aaf79_SoftwareGateways

    ------------------------------
    Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 3.  RE: Can I do token exchange in the gateway

    Posted Aug 26, 2021 06:06 AM

    I ended up adding my own grant_tyep under OTK grant_type=CUSTOM

    It was the easiest to use the aditional grant_type of urn:ietf:params:oauth:grant-type:token-exchange

    I think this should go hand in hand with a JWT that needs to be sent to the back-end API endpoint. We have implemented this in templates so most back-end services standardize on JWT. The middle layer services can then use the token-exchange to delegate authentication.


    Original Message