This scenario includes application templates that are preview features. Contact Thales Customer Support to request access to preview features.

In the API access management demo, SafeNet Trusted Access (STA) is responsible for the actual authentication of the mobile application and users. Roles are mapped to the access tokens using the user's group membership. This separates the management of the authentication and authorization decision from the actual application or business logic.

User and group setup

The policy enforcement point enforces a role-based access model that depends on a user's group membership. To support the API access management use case, create the following two groups in STA, which represent application roles:

• employee

• manager

  

Map some example users to these groups:

• employee

  

• manager

  

Application authentication using the client credential flow

The Generic Template - OIDC Client Credentials, Apigee - API Access Management, and Amazon API Gateway - API Access Management application templates are preview features. Contact Thales Customer Support to request access to preview features.

Only authorized applications are proposed to have access to the API functions. The policy enforcement point validates whether an access token that is transmitted as a bearer token in the API request's authorization header was issued from the trusted IDP.

Using the client credential flow, the demo application can request an access token from the IDP, which ensures that only applications with the correct credentials can access the back-end API.

To create a new client credential flow application in STA, use one of the following application templates:

• Generic Template - OIDC Client Credentials

• Apigee - API Access Management third-party API gateway template

• Amazon API Gateway - API Access Management third-party API gateway template

For the application configuration you need to copy the following information into the configuration file:

• Client ID

• Client Secret

• Well Known Configuration URL

No additional claim is required.You cannot assign users or groups for client credential applications.

User authentication using the authorization code flow with PKCE

The Generic Template - OIDC Client Credentials, Apigee - API Access Management, and Amazon API Gateway - API Access Management application templates are preview features. Contact Thales Customer Support to request access to preview features.

Users can authenticate using the interactive IDP flow with the authorization code flow with PKCE. A short-lived access token and longer-lived refresh token are generated. To access the back-end API, the application uses the refresh token to acquire access tokens on demand.

Similar to application authentication, the access token is transmitted as a bearer token in the API request's authorization header.

To create a new confidential OIDC application in STA, use one of the following application templates:

• Generic Template

• Apigee - API Access Management third-party API gateway template

• Amazon API Gateway - API Access Management third-party API gateway template

Configure the authorization code flow with S256 PKCE enforced.

For the application configuration you need to copy the following information into the configuration file:

• Client ID

• Client Secret

• Well Known Configuration URL

For simplification, the application is assigned to all users.

The valid redirect URL is set to the wildcard "*". A group claim is also required, and must be mapped to the groups value. This ensures that the user's groups are included in the access token, which ultimately determines the user's access rights during policy enforcement.

Use the Apigee or Amazon API gateway application template

When you use the Apigee or Amazon API Gateway template, you can combine both flows (client credential flow and the authorization code flow with PKCE) into a single application.