Layer7 API Management

Hi There,

In essence,a web application(client) seeking oAuth Access token for a user login.Essentially they provide response_type=code and in exchange we(ssg) send Access token.I was presuming the encrypted Access token may contain the logged in userid(email) and the ask was, do we got to share the gateway public key with client to decrypt that access token which essentially sent  after authentication with the gateway?

The OTK Access token doesn't contain any information, it is a random uuid that is generated as a opaque token.

But how would return back the authenticated user attributes such as email and a phone number back to the caller web application and, am wondering if its random number wouldn't client application validate the the access token to ensure its issued from trusted authorization server?

That is not the function of the Access token. it sounds like you are looking for OpenID id_token. a id_token is a JWT that is signed by the gateway and contains claims about the token that can be verified. The id_token does not contain the username or email address either. but the id_token can be passed to the user info endpoint to obtain such information.

You are right am looking exactly what you though, would mind referring a document link here.

Hi Popleys, The blog post OAuth vs. LDAP vs. OpenID Connect would help clarifying your question.

Hi There,

Generally what information the opaque string access_token may contain?

Dear Popleys ,

Oauth assess token is only an opaque string. The token issuer is the only party that can relate the opaque string to meaningful information. ie. those meaningful info are actually stored by token issuer, you can only retrieve those info by calling the endpoint of the the token issuer.

Regards,

Mark

Good afternoon,

Were you able to resolve the issue? What was the final result?

Sincerely,

Stephen Hughes
Broadcom Support