AlexandreG.58943 (Customer) asked a question.
Hi All,
I don't know if people are facing the same challenges but we are facing some issues trying to solve the API dependencies in a Secure way using oAuth.
If oAuth is nicely solving the API (API A) Access Control from a Client Application (CLIENT A) it becomes challenging to see the API A calling another API protected by OKTA (API B) if this API B do require to trust the Idenity of the user using CLIENT A.
Today we end up passing the CLIENT A JWT and a Client Credential JWT generated by the API A Backend to let API B:
- Verifying that its scope is included into the API A Backend's Client Credential JWT
- and Verifying the Subject of CLIENT A JWT
This is a little bit overkill and complex to maintain.
The best will be to see OKTA supporting the oAuth's Token Echange RFC to let API A Backend asking a JWT for API B on behalf of CLIENT A's user.
I heard that it is supposed to be into the 2020 Roadmap - Does anyone could confirm this?
Thank you in advance.
Alexandre.
Hi there! Apologies for the lack of response to your question. Going forward, we're implementing a new process to ensure that all Discussions receive a response from either another Community member or from the Okta Support team within 7 days of posting. Thank you for your patience while we put this into action!
I know this question is a bit old now, but If you’re still looking for information or help I’d recommend reaching out to the fine folks in the Admin Pro Tips group to see if anyone there can help: https://support.okta.com/help/s/group/0F90Z000000EK23SAG/admin-pro-tips
Thanks 🙂