API Gateways Overview


FusionAuth is an OIDC and OAuth server, which means it integrates with a variety of third party systems out of the box. One of those systems is an API gateway. It is a common architectural pattern to have an authentication system generate a token which is then presented to other services. These services can sit behind an API Gateway, which offers throttling, billing and checks for authenticated requests.

General Integration Guidance

In general, you’ll want to do the following to perform an API gateway integration using OIDC.

In FusionAuth:

You typically need to ensure that FusionAuth is signing the JWT with an asymmetric key. Do that by navigating to Settings -> Key Master to create or import the key pair. Then configure the Application to use the key by navigating to Applications -> Your Application -> JWT.

In the API gateway:

If the API gateway does not support token exchange, but instead expects a token:

After this is configured, when the user tries to access a service, they’ll be prompted to login. After they successfully do so, the API gateway will examine the token and allow access if applicable.

FusionAuth also supports SAML integrations. Learn more about how FusionAuth can act as a SAML IdP.

Sample Architecture

Here’s a sequence diagram with an example API gateway protecting two services.

UserFusionAuthToken ExchangerAPI GatewayService AService BRequests Service AToken validationfailure (it doesn't exist)Sends redirect to FusionAuthAuthenticatesVerifies credentialsRedirects user to exchangerRequests tokenIssues tokenRequests Service A and presents tokenValidates tokenForwards request for Service AData from Service ADataRequests Service B and presents tokenValidates tokenForwards request for Service BDataData from Service BUserFusionAuthToken ExchangerAPI GatewayService AService B

API gateway sample architecture.

Token Location

The location of the token in the request is typically in one of two places:

The former is compatible with a variety of API gateways and open source libraries.

The latter is more secure when used for browser based clients such as SPAs, since JavaScript doesn’t have access to the token. It is also compatible with the Hosted Backend APIs, which use FusionAuth to perform the token exchange.

Example Integrations

Here are some example API gateway integrations.