Question on Authentication pattern

Hi All,

I am new to SAG API management platform. We have a requirement where a back-end acts as identity provider and does the credential verification. Hence, in the API hosted on APIGW, is it possible to have flow as:
Client β†’ APIGW β†’ Backend
Client sends access token request to APIGW along with its credentials. APIGW sends user credentials to backend and backend verifies credentials. If successful verification, APIGW generates access token.
In the subsequent requests, client sends only access token to access other API resources.

Could you please let me know whether this flow is possible with SAG API management platform.

Best regards,
Kalpana

Yes,
What you describe is possible as long as your back-end respects a valid Token Provider standard such as open ID, OAuth 2.0, SAML or Kerberos. If you can tell me what you are using I might be able to point you to a document better explaining how to set this up.
regards
John.

Hi John,

Thank you for the response. We are actually migrating existing SOAP APIs to REST APIs and on to APIGW. The SOAP APIs have basic authentication with WS_Security. The backend does the basic authentication. Hence, we want APIGW to generate the access token. Before generating the token, the credentials to be verified by backend(basic authentication). Would this be feasible?

Thanks,
Kalpana

Hi Kalpana,

From what I understand, below is the step-by-step flow:

  1. Client will send access token credentials as well as basic auth credentials in the request to API gateway
  2. API gateway will simply forward the request to the backend which somehow will validate the basic auth credentials.
  3. If the backend service returns a successful response, you would like API Gateway to use the access token credentials from Step 1 and generate an access token and send it as a response back to the client.
  4. Client will the use the token from Step 3 and call other API endpoints via API Gateway which will forward the request to the Soap APIs

If the above understanding is correct, you can use the mashup feature for your first part of generating an access token.
The first step of the mashup will make a request to the backend service which validates your incoming basic auth credentials sent by the client. If the first step is successful, the second step of the mashup will call the API Gateway’s getAccessToken service using the incoming access token parameters sent by the client to generate a token and send it as a response back to the client.
You will need to configure API Gateway as the authorization server to generate the token.

Vaibhav

2 Likes

Many thanks Vaibhav. It helps :slight_smile:

Best regards,
Kalpana