Architecture

The CA API Gateway OAuth Toolkit is separated in the following logically different components.
The Layer7 API Gateway OAuth Toolkit is separated in the following logically different components.
Component
Notes
OAuth Validation Point (OVP)
An endpoint that validates incoming requests for OAuth 2.0. The endpoint is accessed via a REST API.
DMZ
The
Layer7 API Gateway
holding the OAuth installation enforcing the OAuth token requirement.
Clientstore
All client_ids are stored here. The clientstore is accessible via a REST API.
Tokenstore
All tokens are stored here. The tokenstore is accessible via a REST API.
Sessionstore
An endpoint that provides caching and session services to the OTK components. This allows OTK components to avoid going to the database in calls to clientstore and tokenstore APIs.
Resource Server
Provides endpoints to access resources. These endpoints require a valid OAuth token.
The following graphic displays the components within their preferred network zones.
OTK_Architecture.png
Compliance
image2017-7-14 15:22:21.png
The CA OAuth Toolkit provides a full featured and standards-compliant OAuth 2.0 solution.
OAuth 1.0 is deprecated and no longer supported. Any existing OAuth 1.0 services are removed with an OTK update. No service history is maintained.
OAuth is an authorization standard that allows one service to integrate with another service on behalf of a user. Instead of exposing user credentials, an OAuth access token is issued and accepted for user authentication. The OAuth authorization framework permits a user to grant an application (consumer) access to a protected resource without exposing the user password credentials.
This implementation conforms to the following specifications:
This implementation may provide incomplete support for the following draft specifications:
oidcCert.png
Layer7 API Gateway
and Layer7 Mobile API Gateway have been granted certifications for the following OpenID Provider conformance profiles:
  • OP Basic
  • OP Config
  • OP Implicit
  • OP Hybrid
These certifications have been registered at OIXnet:
Specifications can change without notice, possibly causing the OAuth Toolkit to produce incorrect results.