I am looking at implementing an API Gateway for a system using WS02 as the IdP. Users will be signing in using OAuth via federated SSO with social providers (initially Google). The users will also need to pass access to a device with limited input, so I was looking to implement the OAuth
device_code grant (WS02 is the only open source IdP that supports this grant, as far as I can see, please correct me if you know I am wrong). This will pass a JWT to the device which it should be able to use to access the API Gateway.
- Is it acceptable for a JWT to be used by a device in this way? I have been reading that using ‘opaque tokens’ is preferable but I don’t know how these could be assigned to a device using open standards. What are the risks of this approach and how can they be mitigated?
- The JWT would pass from ‘client device’ -> ‘API Gateway’ -> ‘service’. Is this delegation accpetable – is the Gateway impersonating the client?