Layer7 API Management

  • Private Community

  • 1.  What is the best way to implement OAuth for mobile app using CA API Gateway?Any documents or input needed?

    Posted Mar 12, 2018 11:55 AM

    What is the best way to implement OAuth for mobile app using CA API Gateway without user interaction?Any documents or input needed?



  • 2.  Re: What is the best way to implement OAuth for mobile app using CA API Gateway?Any documents or input needed?

    Broadcom Employee
    Posted Mar 12, 2018 12:04 PM

    Hello there.

     

    The best solution would be our CA Mobile API Gateway (MAG), which I assume you do not have as you haven't mentioned it. The MAG would drastically reduce the complexity by providing SDKs with easy to use methods.

     

    Assuming that by "user interaction" you meant things such as authentication, then I'd start looking at the OAuth client_credentials grant type here: OAuth Request Scenarios - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation 

     

    Of course that you would need a 3rd party library/framework to act as your OAuth client, plus you want to make sure the OAuth client information and tokens are secure on the mobile device.

     

    Regards,

     

    --ac 



  • 3.  Re: What is the best way to implement OAuth for mobile app using CA API Gateway?Any documents or input needed?

    Posted Mar 12, 2018 12:49 PM

    Hi Alan,

    Thanks for your answer.The real problem we are facing is Client is sending the payload as JWT with RS 256 signing algorithm and private key shared by us.So the mobile app generates JWT and sends it to CA Gateway where gateway needs to validate and provide the access token.But when we tried gateway is not at all accepting jwt signed by the other apps.It is only recognizing the JWT signed by itself.So what would be the best solution in this scenario.The main issue is we can't change anything from Mobile App side.



  • 4.  Re: What is the best way to implement OAuth for mobile app using CA API Gateway?Any documents or input needed?

    Broadcom Employee
    Posted Mar 13, 2018 09:01 AM

    This  can be done by implementing a custom grant type logic. the out of box OTK  logic for urn:ietf:params:oauth:grant-type:jwt-bearer will always fail if the JWT is not a id_token generated by the gateway as the id_token validation fails to find the token in the token store. 

     

    To allow third party JWT to be used to issue new access tokens you would treat this as a custom grant type and add logic to validate the JWT. Even after the default JWT validation fails the policy continues verification against other grant types and it you configure your own custom grant_type it will try the custom grant type which you can configure to decode the JWT and validate the claims.

     

    You can follow the process here Support Custom Grant Types - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation 

     

    The best thing to do is create your own extension grant type for this but  if your custom grant type logic looks for  the same urn:ietf:params:oauth:grant-type:jwt-bearer grant type the custom logic will be executed if the OOB does not work. 



  • 5.  Re: What is the best way to implement OAuth for mobile app using CA API Gateway?Any documents or input needed?

    Broadcom Employee
    Posted Dec 19, 2018 03:26 PM

    Good afternoon,

     

    Were you able to resolve the issue? What was the final result?

     

    Sincerely,


    Stephen Hughes
    Broadcom Support