Configuring Communication Details for Microgateway

API Gateway 10.15 | Administering API Gateway | Security Configuration | OAuth, JWT, and OpenID Configuration | Configuring Communication Details for Microgateway

When you want Microgateway to use API Gateway as an OAuth2 authorization server, the communication channel between Microgateway and API Gateway has to be set up. The access token is then introspected in the Microgateway using remote introspection. To enable this you have to configure communication details, such as the introspection endpoint, client ID and client secret, in API Gateway, which are then used by Microgateway to introspect the tokens in API Gateway.

To configure the communication details for Microgateway

1. Expand the menu options icon

, in the title bar, and select Administration.

2. Select Security > Microgateway.

3. In the Introspection endpoint field, provide the URL of the introspection endpoint.

Microgateway uses the introspection endpoint to check that access tokens used in client requests are currently active and are valid to invoke the protected resources.

The endpoint must use the https protocol. Considering the default https port is being used, the Integration Server introspection endpoint would be https://localhost:5543/invoke/pub.oauth/introspectToken

4. In the Client ID field, provide an ID, which specifies the ID of the introspection client on the authorization server that Microgateway uses to introspect the access tokens.

Note:
Introspection client is any OAuth2 confidential client in API Gateway.

5. In the Client secret field, provide the Client secret, which specifies the password of the introspection client that Microgateway uses to introspect the access tokens.

6. In the JWKS URI field, provide the JSON Web Key Signature endpoint to retrieve the corresponding public certificates for performing local introspection.

You can use the following endpoint to fetch the JWKS URI of API Gateway:

GET/rest/pub/apigateway/jwt/certs

For more information about the REST API, see https://github.com/SoftwareAG/webmethods-api-gateway/blob/10.15/apigatewayservices/APIGatewayPublicServices.json.

API Gateway's cache has a key as kid claim and its value is the certificate corresponding to the kid claim. The cache is populated on every restart of API Gateway by invoking the JWKS URI.

In the runtime, while validating the token using the local introspection, the kid value from the incoming JWT is fetched and the corresponding certificate is retrieved from the cache and the signature validation happens.

7. Click Save.

The information provided here is stored in the configuration properties file and provisioned as part of the asset provisioning during Microgateway startup.