OAuth client authentication and certificate-bound access and refresh tokens

Hi,

I am trying to find if Apigee supports client-credential flow with client id and PKI certificate instead of client id and client secret for client authn. This is as per the draft-ietf-oauth-mtls-17 OAuth Mutual TLS

Could you please point me to the documentation, if it's supported.

If it's presently not supported, could you let us know if the support for OAuth2.0 Mutual TLS is planned in the near future.

Thank you!

0 1 748
1 REPLY 1

Yes, Apigee can do that. But it's not a matter of setting a tickbox. You need to configure things manually.

You need to configure the vhost for 2-way TLS, and to propagate the client TLS information to the proxy.

You also need to configure a custom attribute on the developerapp to stipulate the fingerprint of the client-side cert that is valid for the given client id.

Then the client passes in the clientid for a normal OAuth POST /token call (no client secret required).

In Apigee Edge configure that /token request to lookup the client

  • check that the provided TLS fingerprint matches the required, with GetOAuthV2Info or VerifyApiKey.
  • if the fingerprint matches, use OAuthV2/GenerateAccessToken with client_credentials grant

-finis-