Modern application development interacts with multiple services. These services can be internal or external. Most of the services are developed with Oauth2 support. When the user or mobile access a service, that particular service might be interacting with other services either internal or cloud service. To access other services, it needs the access token. This Oauth2 service broker will issue a new access token with different scopes to protect the user by without giving token with full rights.
When the user or mobile application access backend service it has to gather various information or data from different service endpoints. These services can be a cloud or internal different department or partner services that are protected by Oauth2 access tokens. In this scenario, received a token at the first service cannot send the same token to different service which is owned by a different group or a cloud service. Limited scopes token is required to access other services.
This solution will help to get a new oauth2 access token with different scopes by authenticating with existing oauth2 Access token at back-end service where it has to call multiple other services to provide the response to the user request.
NetIQ Access Manager should be enabled with oauth2 protocol. Deploy the jar file to the Identity provider (IDP) and restart the IDP.
POST /nidp/oauth/nam/tokenbroker HTTP/1.1
Note: This solution doesn’t validate resource or any sort of additional authorization. This solution is very close to Microsoft on_behalf_of Oauth2 profile but doesn’t follow that specification, it needs little more modification to support that profile.
Please share your comments!!