RFC 7521 - Oauth with JWT for password grant type?

Hi,

Does APIGEE support JWT token(OAuth) only for Client Authentication and Authorization Grants OAUTH grant types?

Can we use the JWT token for OAuth Password grant type? Instead of Oauth token, can we use the JWT token for password grant type.? If yes, then what will be the granttype value ( Password or urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion= XXXXXX.

Please advise.

(As per RFC 7521)

0 1 410
1 REPLY 1

You asked a couple questions.

I think you asked if Apigee Edge implements RFC7521 for granting tokens.

Apigee Edge does not implement RFC 7521 fully out of the box.

But, depending on what you would like to accomplish, you may be able to achieve it with the existing policies.

For example, if you want to allow SAML bearer tokens inbound, you can validate the assertion with the ValidateSAMLAssertion policy, then use OAuthV2 policy to issue a token.

You also asked,

is it possible to use a JWT Token for an OAuth Password grant type

I don't know what this would look like. A Password grant typically asks the token issuer (Apigee Edge) to validate user credentials - the password. How exactly would you transmit the username and password in a JWT? What is your thinking there?

If you explained more about SPECIFICALLY what you hope to accomplish we might be able to have a more illuminating conversation.