Layer7 API Management

  • 1.  User level access Token in CA API Gateway/OAuth Tool Kit

    Posted Nov 30, 2018 08:12 AM

    Is there any way to generate an OAuth Access Token which is associated to a server/application as well as to a particular user so that the issued token can not be used to operate on another user.

     

    The reason I am asking for a user level token is that , If I issue an access token (Following OAuth 2.0 Client Credential Grant Type) to a server , it just verifies if the right server is accessing the API. However It doesn't limit the usage of token to one particular user. So if the token is compromised then all data can be accessed irrespective of the logged in user.

     

    Note : We are using CA API GW 9.0 & OTK 3.2



  • 2.  Re: User level access Token in CA API Gateway/OAuth Tool Kit

    Broadcom Employee
    Posted Dec 02, 2018 05:21 PM

    Dear suhas.mv ,

    That's expected for Client Credential flow, if you want to authenticate against a user before issuing the access token, you should choose other oauth flow, such as auth code flow, or at least the resource owner flow.

     

    Regards,

    Mark



  • 3.  Re: User level access Token in CA API Gateway/OAuth Tool Kit

    Posted Dec 04, 2018 05:53 PM

    Hi!

    As Mark pointed out, in a cases where the client_credentials flow is used, there is no notion of users (as in persons). You can use practically any other grant_type but not client_Credentials if you need to associate the token with a user. 

    With other grant_types the assertion 'OTK Require OAuth 2.0 Token' always sets a variable that contains the username of the associated user. That should be what you need.

     

    Regards,

    Sascha



  • 4.  Re: User level access Token in CA API Gateway/OAuth Tool Kit

    Broadcom Employee
    Posted Dec 17, 2018 02:19 PM

    Good afternoon,

     

    Were you able to resolve the issue? What was the final result?

     

    Sincerely,


    Stephen Hughes
    Broadcom Support