This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

edgemicro bearer token uses non standard oauth token. Is there a future with standard oauth bearer token authentication built in?

Posted on 03-16-2016 11:01 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hopefully the question is clear:

edgemicro bearer token uses non standard oauth token. Is there a future with standard oauth bearer token authentication built in?

specifically the OAUTH flow outlined here:

https://tools.ietf.org/html/rfc6749#section-4.3

in sections 4.3 and 4.4.

0 4 163
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I believe this statement:

edgemicro bearer token uses non standard oauth token.

...is not correct. Edge Micro uses a Bearer token. RFC6750 defines the term "bearer token" and describes its use. RFC6750 does not describe the structure of a bearer token. There is nothing about any token that can be described as "non standard". Edge micro uses a bearer token in a valid way.

You may be referring not to the token, but to the way in which the token has been acquired. In fact, there is a client_credentials flow that happens, to get the token. But this is wrapped in the CLI. The description of how to get the token is here:

http://docs.apigee.com/api-services/content/edge-microgateway-tutorial

Does this answer your question?

@prabhat may wish to comment further.

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino Thanks for the reply:

The link to the doc doesnt help me at all. I know how to make the edgemicro implementation of the bearer token work.

I think i need to spend some time thinking about how to ask the question im trying to ask more precisely.

Whats really going on is that I am trying to figure out if there is a way to have edge minted OAuthV2 access tokens - which can contain useful attributes - be authenticated in edgemicro. I suspect that this is not something that can be done right now for a number of reasons - but i need to poke around a bit before doing anything.

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

That's an interesting scenario. I think what you want is attributes. The key thing is attributes, not "minted OAuthv2 access tokens". Right?

BTW, today when Edge creates OAuthV2 access tokens , they are always "opaque". They're just strings that are used to lookup information at Edge. A JWT is also an access token, just an access token of a different type. Just as custom attributes can be associated with an opaque access token, custom claims (or if you like, call them custom attributes) can be inserted into a JWT.

In the future you should expect Edge to be able to natively Create and Verify JWT, which means you will have your choice of two types of "Edge-minted OAuth2 tokens": opaque and JWT.

@prabhat may wish to comment on this.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

and i THINK the correct way of expressing the problem that im trying to solve is to figure out if there is now, or will be a way in the future to perform some function similar to the Verify Access Token feature on EdgeMicro. This would open up a world of goodness.

0 Likes