7:33 a.m.
Right - at this point a custom policy is probably the only reasonable
approach.
I've added OAuth support between the Gateway and back-end API as a
feature request here:
https://issues.jboss.org/browse/APIMAN-811
-Eric
On 11/30/2015 6:31 AM, Marc Savy wrote:
Hi Ton,
Sorry, I forgot to reply to this.
In essence, you are correct. There's no in-built mechanism to achieve
what you want (i.e. gateway acting as an OAuth2 *client*).
You could indeed use the simple header policy to store a long-lived
token, but this should not be considered a particularly secure approach
(particularly if there's a chance that the token could be exposed
somehow - e.g. by a user looking at the policy config in the UI).
The second issue, which you are undoubtedly aware of, is that there is
no mechanism to auto-refresh those token(s) once expired.
Another option which you could explore is to create a custom policy
which does the periodic refreshing of tokens for you.
Regards,
Marc
On 18/11/2015 15:11, Ton Swieb wrote:
> Hi Marc,
>
> That is correct.
>
> Regards,
>
> Ton
>
> 2015-11-18 16:02 GMT+01:00 Marc Savy <marc.savy(a)redhat.com
> <mailto:marc.savy@redhat.com>>:
>
> Hi Ton,
>
> Just to clarify. From what I understand, you're trying to secure
> communications between the apiman gateway and back-end service using
> OAuth2/OpenID Connect?
>
> I.e. You are *not* OAuth2 simply between the client to the apiman
> gateway.
>
> Regards,
> Marc
>
> On 18/11/2015 14:34, Ton Swieb wrote:
>
> Hi,
>
> I am using Apiman 1.1.8.Final and I want to use a backend service in
> Apiman which is secured by OAuth.
> So instead of securing the Apiman side of the service, using the
> Keycloak OAuth plugin, Apiman needs forward calls to a service
> implementation that is secured by OAuth. I have got an OAuth
> token with
> a very long time to live (days/weeks/months) which I can use.
>
> Currently I only see the option to configure BASIC Authentication or
> MTLS/Two-Way-SSL on the service implementation.
> Would it be possible to add the HTTP Simple Header policy to the
> service
> and set the Authorization header with "Bearer........." or will
> that be
> stripped off by Apiman when forwarding the call to the backend
> service?
>
> Kind regards,
>
> Ton
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org <mailto:Apiman-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
>
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user