Identity Provider And Oauth2

Not applicable

Morning;

I have a question about Oauth2 and Identity Provider. I will take google as example.

I have a scenario when user tries to get a token that guarantee an access to my API.

First an app tries to connect to the Authorization Server. The AS redirects him to google authentication page and user enters his credentials and log in. Google redirect the app to the AS again with an authorization code and the AS make another call to google in order to get a token (signed JWT).

My question: Is it a good idea to make an OAuth2 policy rule after that to exchange the JWT token with an Opaque token and I send it back to the user?

Note:

Google is an example but I will set up an identity provider after that (probably Azure Active Directory)

My goal is to delegate the authentication to the IdP and The Autorization to my Oauth AS

Solved Solved
0 1 569
1 ACCEPTED SOLUTION

Not applicable

In the above mentioned case, I would suggest you to prepare an opaque token at your end as well, because you will not be able to verify or validate user at APIGEE Layer with token provided by Google

so in order to add the extra layer of security and stop invalid or unauthorised calls at the APIGEE Layer, it is always a good idea to issue an Opaque token in your APIGEE Layer.

View solution in original post

1 REPLY 1

Not applicable

In the above mentioned case, I would suggest you to prepare an opaque token at your end as well, because you will not be able to verify or validate user at APIGEE Layer with token provided by Google

so in order to add the extra layer of security and stop invalid or unauthorised calls at the APIGEE Layer, it is always a good idea to issue an Opaque token in your APIGEE Layer.