API Key and JWT general flow for authentication

hi all,

I have a requirement to secure apigee/api. The client wants to do this.

api consumer 1st authenticates using api key/secret and MTLS, and apigee is supposed to return a jwt. then the api consumer uses the jwt to retrieve an oauth access token back, and then use the access token to call api.

I am not familiar with this approach. I normally implement using oauth to verify the api key/secret and return an access token. Then the api consumer uses access token to call the api that it is authorized to call.

how can I implement a generic flow to return a jwt based on api key/secret? Is that even a valid/common use case?

Thx

0 1 745
1 REPLY 1

The flow you describe sounds needlessly complex.

What would be the point of exchanging a key for a JWT, then exchanging a JWT for a token?

Perhaps your client is thinking of RFC7523, in which the client self-signs a JWT, and exchanges THAT for a token. That makes sense to me. I wrote an article about this approach.

If not that, then... what problem are we solving? (Try to describe the problem without referencing the specific technical solution you offered in your post).