Resource gateway configuration¶
In the overall architecture it is the responsibility of the resource gateway to grant or block access to specific APIs or resources. To evaluate if a client is allowed to use a resource, the resource gateway must validate an access token. The Token Server provides a APIs to validate access tokens. Access to these APIs is restricted for OAuth clients with a specific role. Hence, the resource gateway acts as an OAuth client and needs to be configured as one.
Configure communication with the Token Server¶
A resource gateway uses the /oauth/api/v2/token/introspect
endpoint of the Token Server for token introspection. It uses the /oauth/token
or
/oauth/v1/token
endpoints for the deprecated token validation.
The network configuration should be adjusted to allow communication to these endpoints. Especially network traffic from the resource gateway to the Token Server
must not be blocked by firewalls. The /oauth/token
endpoint might already be publicly available since this endpoint is also used by mobile applications to
retrieve access tokens.
Configuration: an API client as resource gateway¶
This configuration is needed for token introspection.
An OAuth API client can be configured as a resource gateway via the admin console. In order to create a resource gateway, go to the Configuration
section in
the admin console and open the System
tab and API clients
section. Here you can find all the existing API clients. To add a new one, click on the Add
button. The following form will appear:
A resource gateway requires a few fields to be filled in the form:
- Name - The resource gateway is referenced using the value form this field.
- Client ID, Client secret - This pair of values is used to authenticate the resource gateway when it communicates with the Token Server. Those values can be filled or generated. This information is sensitive and should be treated accordingly.
- Valid for Token Server APIs - The resource gateway uses scope:
Token introspection
, and that one must be selected in this field. - Public base URI - The base uri (public endpoint) of the resource gateway.
Configuration: a web client as resource gateway (deprecated)¶
This configuration is needed for the deprecated token validation.
An OAuth Web client can be configured as resource gateway via the admin console. In order to create a resource gateway, go to the Configuration
section in the
admin console and open the Web Clients
tab. Here you can find all the existing web clients. To add a new one, click on the Add button. The following form will
appear:
A resource gateway differs from a normal web client, it only requires a few fields to be filled in the form:
- Name - The resource gateway is referenced using the value form this field.
- Client ID, Client secret - This pair of values is used to authenticate the resource gateway when it communicates with the Token Server. Those values can be filled or generated. This information is sensitive and should be treated accordingly.
- Grant types - The resource gateway uses only one grant type:
Validate access token
, and that one must be selected in this field. - Public base URI - The base uri (public endpoint) of the resource gateway.
The other fields should stay empty or the default values should be set.