Hi Ton, Just to clarify. From what I understand, you're trying to secure communications between the apiman gateway and back-end service using OAuth2/OpenID Connect? I.e. You are *not* OAuth2 simply between the client to the apiman gateway. Regards, Marc On 18/11/2015 14:34, Ton Swieb wrote: > Hi, > > I am using Apiman 1.1.8.Final and I want to use a backend service in > Apiman which is secured by OAuth. > So instead of securing the Apiman side of the service, using the > Keycloak OAuth plugin, Apiman needs forward calls to a service > implementation that is secured by OAuth. I have got an OAuth token with > a very long time to live (days/weeks/months) which I can use. > > Currently I only see the option to configure BASIC Authentication or > MTLS/Two-Way-SSL on the service implementation. > Would it be possible to add the HTTP Simple Header policy to the service > and set the Authorization header with "Bearer........." or will that be > stripped off by Apiman when forwarding the call to the backend service? > > Kind regards, > > Ton > > > _______________________________________________ > Apiman-user mailing list > Apiman-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > >

Hi Ton, Sorry, I forgot to reply to this. In essence, you are correct. There's no in-built mechanism to achieve what you want (i.e. gateway acting as an OAuth2 *client*). You could indeed use the simple header policy to store a long-lived token, but this should not be considered a particularly secure approach (particularly if there's a chance that the token could be exposed somehow - e.g. by a user looking at the policy config in the UI). The second issue, which you are undoubtedly aware of, is that there is no mechanism to auto-refresh those token(s) once expired. Another option which you could explore is to create a custom policy which does the periodic refreshing of tokens for you. Regards, Marc On 18/11/2015 15:11, Ton Swieb wrote: > Hi Marc, > > That is correct. > > Regards, > > Ton > > 2015-11-18 16:02 GMT+01:00 Marc Savy <marc.savy(a)redhat.com > <mailto:marc.savy@redhat.com>>: > > Hi Ton, > > Just to clarify. From what I understand, you're trying to secure > communications between the apiman gateway and back-end service using > OAuth2/OpenID Connect? > > I.e. You are *not* OAuth2 simply between the client to the apiman > gateway. > > Regards, > Marc > > On 18/11/2015 14:34, Ton Swieb wrote: > > Hi, > > I am using Apiman 1.1.8.Final and I want to use a backend service in > Apiman which is secured by OAuth. > So instead of securing the Apiman side of the service, using the > Keycloak OAuth plugin, Apiman needs forward calls to a service > implementation that is secured by OAuth. I have got an OAuth > token with > a very long time to live (days/weeks/months) which I can use. > > Currently I only see the option to configure BASIC Authentication or > MTLS/Two-Way-SSL on the service implementation. > Would it be possible to add the HTTP Simple Header policy to the > service > and set the Authorization header with "Bearer........." or will > that be > stripped off by Apiman when forwarding the call to the backend > service? > > Kind regards, > > Ton > > > _______________________________________________ > Apiman-user mailing list > Apiman-user(a)lists.jboss.org <mailto:Apiman-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/apiman-user > > _______________________________________________ Apiman-user mailing list Apiman-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/apiman-user

I'll take any further stuff to the ticket - but, my understanding is that Server-To-Server OAuth2 isn't particularly recommended (Mutual TLS or similar is preferred). That being said, I think you could argue we're just acting as a client by proxy, so perhaps it's okay. On 30/11/2015 13:33, Eric Wittmann wrote: > Right - at this point a custom policy is probably the only reasonable > approach. > > I've added OAuth support between the Gateway and back-end API as a > feature request here: > > https://issues.jboss.org/browse/APIMAN-811 > > -Eric > > On 11/30/2015 6:31 AM, Marc Savy wrote: > > Hi Ton, > > > > Sorry, I forgot to reply to this. > > > > In essence, you are correct. There's no in-built mechanism to achieve > > what you want (i.e. gateway acting as an OAuth2 *client*). > > > > You could indeed use the simple header policy to store a long-lived > > token, but this should not be considered a particularly secure approach > > (particularly if there's a chance that the token could be exposed > > somehow - e.g. by a user looking at the policy config in the UI). > > > > The second issue, which you are undoubtedly aware of, is that there is > > no mechanism to auto-refresh those token(s) once expired. > > > > Another option which you could explore is to create a custom policy > > which does the periodic refreshing of tokens for you. > > > > Regards, > > Marc > > > > On 18/11/2015 15:11, Ton Swieb wrote: > >> Hi Marc, > >> > >> That is correct. > >> > >> Regards, > >> > >> Ton > >> > >> 2015-11-18 16:02 GMT+01:00 Marc Savy <marc.savy(a)redhat.com > >> <mailto:marc.savy@redhat.com>>: > >> > >> Hi Ton, > >> > >> Just to clarify. From what I understand, you're trying to secure > >> communications between the apiman gateway and back-end service > >> using > >> OAuth2/OpenID Connect? > >> > >> I.e. You are *not* OAuth2 simply between the client to the apiman > >> gateway. > >> > >> Regards, > >> Marc > >> > >> On 18/11/2015 14:34, Ton Swieb wrote: > >> > >> Hi, > >> > >> I am using Apiman 1.1.8.Final and I want to use a backend > >> service in > >> Apiman which is secured by OAuth. > >> So instead of securing the Apiman side of the service, using > >> the > >> Keycloak OAuth plugin, Apiman needs forward calls to a > service > >> implementation that is secured by OAuth. I have got an OAuth > >> token with > >> a very long time to live (days/weeks/months) which I can use. > >> > >> Currently I only see the option to configure BASIC > >> Authentication or > >> MTLS/Two-Way-SSL on the service implementation. > >> Would it be possible to add the HTTP Simple Header policy to > >> the > >> service > >> and set the Authorization header with "Bearer........." or > will > >> that be > >> stripped off by Apiman when forwarding the call to the > backend > >> service? > >> > >> Kind regards, > >> > >> Ton > >> > >> > >> _______________________________________________ > >> Apiman-user mailing list > >> Apiman-user(a)lists.jboss.org > >> <mailto:Apiman-user@lists.jboss.org> > >> https://lists.jboss.org/mailman/listinfo/apiman-user > >> > >> > > > > _______________________________________________ > > Apiman-user mailing list > > Apiman-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/apiman-user > >