In the project that i am working there is a need to access Microsoft Graph API’s via. the webMethod’s API Gateway - using routing feature of gateway to provide friendly urls. The Graph API’s is secured through Microsoft Identity Manager(a.k.a. AAD), access to Graph is achieved by registering an App in AAD and then granting suitable permissions to this App (client) - OAuth client_credential flow is used. The expectation is for the Gateway to use the ClientId/ClientSecret obtained from OAuth registration and negotiate Access token, and perform necessary request routing to Graph whenever request comes to Gateway endpoint. However, i couldn’t determine how to achieve this in webMethods API Gateway page. The closest solution appears to be to use ‘Outbound Authentication’ in Dynamic Routing - Transport section, but for OAuth based flow the only available option is to use ‘Custom credentials’ where the AccessToken needs to be specified.
I am not sure if specifying AccessToken is the best solution, as per the security recommendations the AccessToken should have short lifetime. The AAD for example limits the AccessToken lifetime to max of 1 hour. An ideal solution is for the Gateway to register the ClientId/Secret combination and to negotiate with the Auth server to obtain access token.
Please suggest if i am missing anything obvious in my above understanding, and, what is the ideal solution to achieve my requirements.
Note: The Api Gateway is in on-premise, and the Microsoft Graph is SaaS based REST API.