api-layer icon indicating copy to clipboard operation
api-layer copied to clipboard
verified publisher icon zowe

API ML validates distributed access tokens

Open pinpan opened this issue 3 years ago • 0 comments

SCG component of API ML doesn't implement security features. It is not very hard to implement basic OAuth2 functionality using Spring Security.

To validate a token with the distributed IdP it is necessary to maintain a mapping between the Client APPlication (client_id) and the target IdP. This is also needed to satisfy the requirement for exposing /.well-known set of end-points.

Then the SCG must authenticate as resource server against the IdP and configure Spring Security to validate the JWT passed with the requests.

Acceptance criteria:

  • [ ] SCG configuration for multiple clients exists
  • [ ] SCG can authenticate with the IdP configured for each client app.
  • [ ] SCG can validate the JWT at the IdP validation end-point

pinpan avatar Nov 11 '22 05:11 pinpan