I need to add OAuth2 support to an existing REST API built with Apigility. As Apigility includes an OAuth2 module, it seems the easiest approach would be to simply use that.
However, the documentation states "In Apigility, the Resource Server and the Authorization Server are delivered from the same API server". This will not work for me, as the API will need to utilize the new OAuth2/OpenID server that we are building separately, and will be used for all our APIs.
So, the question(s) is (are):
Is it possible to use Apigility as a resource server with an external OAuth2 server?
Has anyone done this, or attempted to do this, and can share their experiences?
Other thoughts? Maybe a doc or tutorial exists somewhere? (I couldn't find anything)
Thanks!
the interface/protocol/API between a Resource Server and an Authorization Server is not standardized in OAuth 2.0; work is underway to do that as an extension: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-introspection-03
this means that there is extremely little chance that you can use Apigility with another Authorization Server unless they happen to implement the same API by accident or because they've implemented an early draft of the spec above