CA API Gateway - OTK OpenID Connect BCP Test Client for RS256 Signing Algo and new Private Key
search cancel

CA API Gateway - OTK OpenID Connect BCP Test Client for RS256 Signing Algo and new Private Key

book

Article ID: 266319

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

This KB Article describes configuring an OpenID oAuth Flow for Grant type: Authorization code with OpenID Connect with a new Private Key (other than default_ssl_key) and RS256 Signing Algorithm (Changed from Default HS256)

 

Environment

Gateway 10.x. 11.x with OTK 4.5, 4.6 +

Test Endpoint Sample URL: https://YourGatewayHostname:8443/oauth/v2/client/bcp

Resolution

Ensure that the oAuth Toolkit is configured and functioning correctly

Create a Private Key:

From the Gateway Policy Got to Manager Private Keys

Create a New Private Key - See Example here:

 

After creating the Private Key go into Manage Certificates as such:

Click Add and import the Certificate from the Import From Private Key's Certificate Chain selection:

Click next into the Certificate Options Section and select the first three options as such:

Click next and set as Trust Anchor

Now Set your Signing Algorithm to RS256 in Tasks --> Global Settings --> Manage Clusterwide Properties

Now let's edit some OTK Policies 

Policy Name: OTK openid jwks_endpoint Configuration

Add your Private Key name (in this case called test) to the Create JSON Web Key assertion as such:

Policy Name: OTK id_token Signing Algorithm - CUSTOM

Set both Encode Json Webtoken: Sign Payload assertions with your Private Key.  These Assertions are at Lines 8 and 12 in the Policy

Set the Shared_Secret Context Variable to the name of your Private Key as such:

Copy the following two lines from the Read Only Encapsulated Assertion id_token KID Configuration into the editable #OTK id_token KID Configuration policy

After copying the lines set the Set Context Variable Kid as String to the name of your Private Key (in this case the Private Key is called test)

Policy Name:  OpenID Connect Client - BCP [/oauth/v2/client/bcp]

At Line 87 set the following Decode Json web Token to your Private Key:

Policy Name: #OTK id_token KID Configuration

Change the shared_secret Compare Variable and the Decode Json Token assertions to reflect the Private Key you created (in this case it is test)

Now you are ready to call the Basic Client Profile Endpoint:

https://YourGatewayHostname:8443/oauth/v2/client/bcp

Login then hit the Grant button on the next screen and you should get a successful flow with working sample Resources and Claims

Sample Successful Output

Additional Information

OpenID Connect Implementation

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/openid-connect-implementation.html

 

Powered by Wolken Software