This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending client authentication information to backend services



We are currently using Access manager in front of our REST services. We use it mainly to provide OAuth atuhentication, but one of Access manager functionality is also to provide authenticated user information to backend REST services (they are hidden behind Access Gateway).

This is done by injecting user's LDAP attributes (stored in oauth claim) into HTTP request header using Access manager identity injection policy. Those headers are then parsed by backend REST services to provide proper response.


Now back to Secure API Manager.

I have not installed product and only read documentation. I really like possibilities that API Gateway could give us, but I haven't noticed that API gateway would have a possibility to pass information from OAuth token to backend REST services.

Is there a way to do that?


Thanks for your answers and kind regards,



  • Hi Sebastijan,

    Hope you are well.

    That's an interesting scenario. I haven't seen that featured documented either and I wonder if it's available now or whether it's been considered for a future release.

    Would you be ok if we followed up with our Product Management team and get back to you on this one?



  • Secure API Manager API Gateway can surely pass through an OAuth token, but today it does not have the ability to inject the LDAP attributes like you are doing with Access Gateway. Access Gateway as you know could pass through and OAuth token to the backend API services if required. API Gateway can front end Access Gateway (if you need additional API Gateway capabilities), but looks like Access Gateway should be sufficient for your need.

    Gireesh Kumar

    Sr. Product Manager - IAM

  • Hi Gireesh!

    Thanks for explanation. Customer is looking at SAPIM because they need rate limiting/throttling. But since NAM 5.0 supports unencrypted tokens (without specifying specific resource server), customer might ditch identity injection and just extract info from token passed to backend application.

    Kind regards, Sebastijan