How-to integrate an API Gateway with an OAuth Server
An API Gateway, or an advanced reverse proxy, is a key function in an API management system. When used in a token-based architecture, for instance with OAuth 2.0, the gateway often includes functionality to issue and not only verify tokens. From a high level perspective, it could seem natural to issue and verify tokens in the same computer system, but there are several good reasons to separate these two, inherently different services. Issuance of tokens (done in the OAuth server) involves gathering information from many sources, directories and databases in a well-defined format that allows back-end services and APIs to take authorization decisions. Verification of tokens is on the other hand a very different task (done by the API Gateway) that is performance-critical, protecting all the APIs from misuse.
One example on how-to integrate an API Gateway with an OAuth server, is the integration between Apigee Edge and Curity Identity Server. When using Apigee to protect and proxy APIs, it is beneficial to complement it with a purpose-built OAuth server like the Curity Identity Server. Doing so provides a number of advantages:
· Architectural separation of concerns, allowing the gateway to do what it does really well and the OAuth server to do what it does best.
· Extensive support for not only “vanilla” OAuth but also the related standards, like OpenID Connect with its hybrid flows, the device flow, introspection, revocation, token exchange, assisted token flow, etc.
When using Curity, in particular, there are also a number of additional benefits, like:
· User management using SCIM
· Simplified management and setup
· Advanced authentication possibilities, including MFA, support for various login methods, user account linking, self-service signup, password resets, SSO, etc.
With the help of the Apigee Community we have created a first-class integration of Curity and Apigee that delivers these benefits and others.
For more details, you can find the entire article on the curity.io web site, complete with policies, shared flows, configuration, and testing instructions.