Re: [Apiman-user] OAuth with non public API

Hello Eric, my scenario is the following. A set of API has been defined to expose core business functions, to clerks and sales force automation. Some functions are specifically sensitive. All access requires end user authentication. Some function are only accessible to users when using trusted clients: for example access from browsers js apps is not enabled to some functions, while native clients for mobile SFA do. For trusted application i have implemented OAUTH with signed JWT client authentication (updated KC to latest) almost meeting security requirements (added a ticket to KC for supports of nonces) but oauth client and application are actually unrelated, so no way I can relate the client id to application to enforce access to sensitive api to only users authenticated with the trusted client. Of course I can set the api_key header to the one I have associated to the trusted client, but this are unrelated (security department not so happy). I could probably use the api_key as client_id in KC and implement a custom policy to verify the access token audience (i guess that is where the client is mapped in the signed token) matches the apikey. In general i was thinking if diffeent strategies for application identification made sense (at api level) . Bests Mike On Thu, 14 Jan 2016 at 14:34, Eric Wittmann <eric.wittmann(a)redhat.com&gt; wrote: