At my place of work we have an internal API Gateway that acts as a proxy between various internal applications.
My specific application is essentialy a REST API that serves specific features to specific users. There are multiple clients that need to access it through this gateway, however I am stuck with a slightly annoying problem and was hoping for some ideas, insights in to how I could resolve this.
Essentially there are two levels of Oauth2, such that the client must first get an access token from the API Gateway. The API Gateway also has a single access token it gets from an Authorisation server that is connected to my app, which also acts as a resource server. This is all done using JWT Tokens.
In both instances the access token is granted with client_credentials and is then used as an Authorization Bearer token when accessing resources on the REST API.
Essentialy this poorly designed diagram explains the flow where each line is a representation of oauth2 authentication using JWT Tokens.
CLIENT 1 \
\
API GATEWAY -- MY APP
/
CLIENT 2 /
The issue im facing is that any client credentials are lost at the gateway so that by the time the request passes through the proxy, I know the user is authenticated but I dont know who the user is, so I am unable to determine which resources they should have access to.
My original work around was to have the API Gateway append the users client_id as a header but after the security team laid eyes on it, they said this was too much of a risk.
The second idea was that the gateway would instead have to manage multiple access tokens, one for each client so that they could essentially pass the user credentials through but this also was turned down as the people who manage the gateway think it would be too much overhead on their system, and it was not designed in such a way.
I'm a little stumped at this point for ideas. I am open to answering any questions about the stacks used but due to the nature of the business can't give too many details away.