we are implementing OAuth2.0 with API Gateway. In our scenario API Gateway will act as
- Authorization Server
- Resource Server because it will expose protected API
A 3rd party external application could invoke and consume protected API acting as OAuth2.0 Client.
During authorization consent the Resoruce Owenr (the user) must be authenticated from the Authorization Server. How the authentication process occurs is not in scope of OAuth2.0 specification.
By defautl API Gateway can authenticate Resource Owners with username and password; futhermore API Gateway can delegate the authentication to SiteMinder.
In this case SiteMinder will validate the username and password provided by the Resource Owner against the user directory configured.
Our question is: can the user be authenticated using other mechnisms (i.e. NTML)? If yes can anyone provide any hint (or samples) in order to properly configure API Gateway policies?
Thnaks in advance,