[Apiman-user] Forwarding HTTP requests to service implementations secured by OAuth

Marc Savy marc.savy at redhat.com
Mon Nov 30 06:31:02 EST 2015 

Hi Ton,

Sorry, I forgot to reply to this.

In essence, you are correct. There's no in-built mechanism to achieve
what you want (i.e. gateway acting as an OAuth2 *client*).

You could indeed use the simple header policy to store a long-lived
token, but this should not be considered a particularly secure approach
(particularly if there's a chance that the token could be exposed
somehow - e.g. by a user looking at the policy config in the UI).

The second issue, which you are undoubtedly aware of, is that there is
no mechanism to auto-refresh those token(s) once expired.

Another option which you could explore is to create a custom policy
which does the periodic refreshing of tokens for you.

Regards,
Marc

On 18/11/2015 15:11, Ton Swieb wrote:
> Hi Marc,
>
> That is correct.
>
> Regards,
>
> Ton
>
> 2015-11-18 16:02 GMT+01:00 Marc Savy <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>:
>
>     Hi Ton,
>
>     Just to clarify. From what I understand, you're trying to secure
>     communications between the apiman gateway and back-end service using
>     OAuth2/OpenID Connect?
>
>     I.e. You are *not* OAuth2 simply between the client to the apiman
>     gateway.
>
>     Regards,
>     Marc
>
>     On 18/11/2015 14:34, Ton Swieb wrote:
>
>         Hi,
>
>         I am using Apiman 1.1.8.Final and I want to use a backend service in
>         Apiman which is secured by OAuth.
>         So instead of securing the Apiman side of the service, using the
>         Keycloak OAuth plugin, Apiman needs forward calls to a service
>         implementation that is secured by OAuth. I have got an OAuth
>         token with
>         a very long time to live (days/weeks/months) which I can use.
>
>         Currently I only see the option to configure BASIC Authentication or
>         MTLS/Two-Way-SSL on the service implementation.
>         Would it be possible to add the HTTP Simple Header policy to the
>         service
>         and set the Authorization header with "Bearer........." or will
>         that be
>         stripped off by Apiman when forwarding the call to the backend
>         service?
>
>         Kind regards,
>
>         Ton
>
>
>         _______________________________________________
>         Apiman-user mailing list
>         Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/apiman-user
>
>

More information about the Apiman-user mailing list