Accessing secure native REST endpoints from the Gateway

In the project that i am working there is a need to access Microsoft Graph API’s via. the webMethod’s API Gateway - using routing feature of gateway to provide friendly urls. The Graph API’s is secured through Microsoft Identity Manager(a.k.a. AAD), access to Graph is achieved by registering an App in AAD and then granting suitable permissions to this App (client) - OAuth client_credential flow is used. The expectation is for the Gateway to use the ClientId/ClientSecret obtained from OAuth registration and negotiate Access token, and perform necessary request routing to Graph whenever request comes to Gateway endpoint. However, i couldn’t determine how to achieve this in webMethods API Gateway page. The closest solution appears to be to use ‘Outbound Authentication’ in Dynamic Routing - Transport section, but for OAuth based flow the only available option is to use ‘Custom credentials’ where the AccessToken needs to be specified.

I am not sure if specifying AccessToken is the best solution, as per the security recommendations the AccessToken should have short lifetime. The AAD for example limits the AccessToken lifetime to max of 1 hour. An ideal solution is for the Gateway to register the ClientId/Secret combination and to negotiate with the Auth server to obtain access token.

Please suggest if i am missing anything obvious in my above understanding, and, what is the ideal solution to achieve my requirements.
Note: The Api Gateway is in on-premise, and the Microsoft Graph is SaaS based REST API.

Hi Manjunath,

Only oauth2 token option is supported in Oauth2 outbound authentication. Another option supported is “incoming oauth token” for which the client is expected to send the oauth token.

However, if your requirement is to get oauth2 token at API Gateway level and send this oauth2 token to native service, you can try to do this using “webMethods IS Service” step in Request Processing stage. You can write the webMethods IS Service to get oauth2 token with the values of your client-id and client-secret, and you can set this oauth2 token in the authorization header using this IS Service.

Note: The authorization header set at “Request Processing” stage will be passed to native service, if it is not edited through some other configuration in your outbound-authentication policy.