Using an External OAuth 2.0 Authorization Server
When API Gateway is the resource server, you must specify an authorization server. As an alternative to using API Gateway as the authorization server, you can use a third-party OAuth server as the authorization server. This allows API Gateway to use access tokens issued by third-party OAuth authorization servers.
Important: Before you configure API Gateway to use a third-party OAuth authorization server, make sure that the OAuth authorization server is compliant with the RFC 7662, OAuth 2.0 Token Introspection.
To use an external authorization server, you must configure your third-party authorization server. This includes, but is not limited to, the following:
Create a client account that
API Gateway uses to call the authorization server's introspection endpoint.
Make a note of the client_id and client_secret values. You provide this information as part of defining the external authorization server alias for the API Gateway resource server.
Make a note of the URL for the introspection endpoint. You provide this information as part of defining the external authorization server alias in the API Gateway resource server.
Create the OAuth scopes.
Configure an alias to the authorization server.
Currently, API Gateway can be used with the third-party OAuth authorization servers that are RFC 7662, OAuth 2.0 Token Introspection compliant:
Okta
PingFederate