Resource gateway configuration
In the overall architecture, the resource gateway is responsible for granting or blocking access to specific APIs or resources. To evaluate whether a client is allowed to use a resource, the resource gateway must validate an access token. The OneWelcome Identity Platform provides APIs to validate access tokens.
Access to these APIs is restricted to OAuth clients with a specific role. This means that the resource gateway acts as an OAuth client and needs to be configured as one.
Network configuration
A resource gateway uses the /oauth/api/v2/token/introspect
endpoint of the OneWelcome Identity Platform for token introspection.
To allow communication to this endpoint, adjust the network configuration and ensure that network traffic from the resource gateway to the OneWelcome Identity Platform is not blocked by firewalls.
Configure an API client as a resource gateway
This configuration is needed for token introspection.
Using the admin console, you can configure an OAuth API client as a resource gateway. To create a resource gateway, on the admin console, go to the Configuration section, and then open the System tab and the API clients section. Here you find all the existing API clients. To add a new API client, click the Add button. The following form opens:
Fill the following fields for the resource gateway:
-
Name: The resource gateway is referenced using the value from this field.
-
Client ID and Client secret: This pair of values authenticates the resource gateway when it communicates with the OneWelcome Identity Platform. The values can be filled or generated. This information is sensitive and must be treated accordingly.
-
Valid for APIs The resource gateway uses the
Token introspection
scope. -
Public base URI The base URI (public endpoint) of the resource gateway.