The client authentication (JWT) was introduced since OTK 4.3, to avoid using client secret to call the OTK endpoints.
The client_secret parameter can be replaced by 2 parameters,
client_assertion=<JWT>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Release : 10.0
Component : API GATEWAY
Here is an example,
1. Register a new oauth client as per document,
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/registering-clients-with-the-oauth-manager.html
"Client Type" = confidential
"Authentication Method" = Client Secret (JWT)
"Scope" = oob
2. Publish a new web API, and import the attached policy, replace the client_id and client_secret as per step 1
The JWT credential will be created as per document,
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/configure-authentication/client-authentication.html
3. Call the demo API, it will return sample json for the JWT credential, and the sample curl command line
Sample output (the new api path is /jwts here),
# curl http://localhost:8080/jwts
sample json to generate jwt:
{
"sub": "58634101-8006-4823-a92d-25efc5ac5de7",
"iss": "58634101-8006-4823-a92d-25efc5ac5de7",
"exp": 1614310725,
"jti": "ByMark2021",
"aud": "https://<host name>.<Your domain>/auth/oauth/v2/token"
}
sample call:
curl -k -X POST -H "content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_assertion=<redactedJWT>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_id=58634101-8006-4823-a92d-25efc5ac5de7&scope=oob' https://<host name>.<Your domain>/auth/oauth/v2/token
4. Copy and run the curl command, it will return the access token, in this curl command line, the client_secret is replaced by the jwt
Sample output:
# curl -k -X POST -H "content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_assertion=<redactedJWT>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_id=58634101-8006-4823-a92d-25efc5ac5de7&scope=oob' https://<host name>.<Your domain>/auth/oauth/v2/token
{
"access_token":"7a45c008-1a95-46b9-8ab5-046c679f6034",
"token_type":"Bearer",
"expires_in":3600,
"scope":"oob"
}