Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Submitted
Workspace Cloud Pak for Integration (CP4I)
Created by Guest
Created on Oct 16, 2025

RELATED IDEAS

Product Requirement: Native OAuth with External Identity Provider for Three-Legged OAuth

Business Need

Business Need

Enable API Connect Native OAuth to:

  • Support three-legged OAuth flows where API Connect issues codes and tokens.

  • Delegate user authentication to external IdPs via redirect.

  • Preserve centralized token lifecycle management in API Connect.

This capability ensures:

  • Developer Portal remains the hub for client registration and API subscription.

  • API Connect enforces scopes, rate limits, and token policies.

  • External IdPs provide enterprise-grade user authentication.

Current Limitation

Native OAuth:

  • Supports internal user registries or Authentication URL but lacks redirect-based external IdP integration.

  • Requires custom assemblies or orchestration to achieve nested OAuth.

  • under user authentication, none of the external oidc user registries are supported.

Functional Requirements

Client Registration

  • Register client apps in Developer Portal with client_id, client_secret, and redirect_uri.

  • Subscribe clients to APIs.

Authorization Flow

  • /authorize:

    • Validate client credentials and redirect URI.

    • Redirect end-user to external IdP authorization endpoint.

    • Handle callback from IdP with code and state.

    • Generate API Connect authorization code and persist mapping to IdP session.

Token Exchange

  • /token:

    • Validate API Connect authorization code.

    • Optionally exchange IdP code for user claims.

    • Issue API Connect access/refresh tokens enriched with IdP claims.

Configuration

  • UI/CLI options to:

    • Configure external IdP endpoints (authorize, token, userinfo).

    • Define scopes and claims mapping.

    • Enable/disable external authentication per OAuth provider.

Security

  • Support PKCE, state, and nonce validation.

  • TLS for all redirects and token exchanges.

nativeoauth_pin...
nativeoauth_ping_identity_provider.png
Open full size
nativeoauth_ping_identity_provider.png
Idea priority Urgent

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.