JWT Bearer Profile Support

sonalishyam
Participant II

Hi,

Does Apigee currently support use of JWT for client authentication to get an access token ie.passing client_assertion = jwt_bearer instead of passing client_secret.

Regards,

Sonalee

0 5 233
5 REPLIES 5

sonalishyam
Participant II

@Dino-at-Google Could you please help here

yes, you can do that with the VerifyJWT policy coupled with the OAuthV2/GenerateAccessToken policy.

This article explains it in detail.

@Dino-at-Google

Dino,what is the best approach to this implementation incase of dynamic client registration in open banking in which case the app will not be able earlier.

Since for dynamic client registration there won't be any App created already,only approach I can think of is to make a call to management API to create an app from within the API Proxy after JWT verification so as to have a client ID/Secret pair(To be used for OAuth Token generation).

Since there are limitations in using management API ,is there any approach possible?

Calling the Management API from within an API Proxy is an anti-pattern.

In general, you don't want to do that.

I haven't examined the dynamic client registration scenario, though.

Maybe @davissean or @Omid Tahouri has a suggestion?

As Dino mentioned, adding a dependency on the Management API in an API proxy is an anti-pattern. Having said that, though, it's currently the only way you can create developers/apps in the proxy runtime (per the Open Banking dynamic client registration specification). This registration API should not have high throughput/TPS.