cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ThingWorx Navigate is now Windchill Navigate Learn More

Translate the entire conversation x

Navigate --[ API gateway ]--> Windchill

Go to solution
Constantine
18-Opal
18-Opal
‎Nov 07, 2025 06:34 AM
‎Nov 07, 2025 06:34 AM

Navigate --[ API gateway ]--> Windchill

Hello All,

 

I have an API gateway, which also acts as an OIDC IdP. There's a Windchill instance which is configured to serve APIs to that gateway with SSO. There's an external app, which uses that setup, and it works fine.

 

I'd like to investigate an idea of connecting Navigate through the same API gateway, and not directly to Windchill. I expect to do some configuration on the ThingWorx side, but zero changes on the Windchill end, because other API gateway app(s) already work, so I assume that there's nothing to change.

 

Before I spend time on trying to set it up, just wanted to check with the community -- is it a supported setup, and what kind of issues should I expect?

 

Also, this might be a very lame question, but what do I need to configure on the ThingWorx side to make an external OIDC IdP work in this scenario?

 

Thanks,

Constantine

Vilia (my company) | GitHub | LinkedIn
Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
Constantine
18-Opal
18-Opal
(To:slangley)
‎Nov 20, 2025 09:01 AM
‎Nov 20, 2025 09:01 AM

Hello @slangley, thanks for the reminder! Actually I found a way to make it work and got a working prototype. A few items for anyone else interested in it:

  1. It is possible to put an API Gateway in the middle between Navigate and ThingWorx, provided that
    1. the gateway handles authentication (they usually do)
    2. and mints its own tokens.
  2. The gateway is then used as an Authorization Server both to authenticate users and authorize requests to Windchil
    1. You can have the same client configured in AuthorizationServersSettings and in OIDCSettings sections of sso-settings.json
    2. Authentication and authorization use different redirect URLs, so make sure you configured both in your AS. Our API Gateway only allows a single redirect URL, so I just created two clients with different client IDs, and it works:
      1. /Thingworx/oidc/SSO
      2. /Thingworx/oauth2_authorization_code_redirect
  3. It works with non-AD, non-PF OAuth providers, as long as they are compliant with OIDC standard, namely support nonce parameters

Here's our working setup:

SSO-API-GW.png

I'll mark this comment as accepted solution, hope it would help someone.

 

/ Constantine

Vilia (my company) | GitHub | LinkedIn

View solution in original post

0 Kudos
Notify Moderator
3 REPLIES 3
barko
16-Pearl
16-Pearl
(To:Constantine)
‎Nov 10, 2025 10:28 AM
‎Nov 10, 2025 10:28 AM

No, not supported and I think it can’t be done. Windchill has a file securityContext.properties that needs the details of the Windchill RP Oauth client from the CAS, and without that any request for data from Navigate using Oauth will fail. Navigate has to send the Oauth token with the request to Windchill. We don’t know what effect a custom routing will have.

 

Support for OIDC on the ThingWorx side is dependent upon the ThingWorx version. Windchill adopted OIDC much earlier than ThingWorx did, so there is no easy correlation to assume.

0 Kudos
Notify Moderator
slangley
23-Emerald III
23-Emerald III
(To:Constantine)
‎Nov 18, 2025 04:13 PM
‎Nov 18, 2025 04:13 PM

Hi @Constantine 

 

If the previous response answered your question, please mark it as the Accepted Solution for the benefit of others in the community.

 

Regards.

 

--Sharon

0 Kudos
Notify Moderator
Constantine
18-Opal
18-Opal
(To:slangley)
‎Nov 20, 2025 09:01 AM
‎Nov 20, 2025 09:01 AM

Hello @slangley, thanks for the reminder! Actually I found a way to make it work and got a working prototype. A few items for anyone else interested in it:

  1. It is possible to put an API Gateway in the middle between Navigate and ThingWorx, provided that
    1. the gateway handles authentication (they usually do)
    2. and mints its own tokens.
  2. The gateway is then used as an Authorization Server both to authenticate users and authorize requests to Windchil
    1. You can have the same client configured in AuthorizationServersSettings and in OIDCSettings sections of sso-settings.json
    2. Authentication and authorization use different redirect URLs, so make sure you configured both in your AS. Our API Gateway only allows a single redirect URL, so I just created two clients with different client IDs, and it works:
      1. /Thingworx/oidc/SSO
      2. /Thingworx/oauth2_authorization_code_redirect
  3. It works with non-AD, non-PF OAuth providers, as long as they are compliant with OIDC standard, namely support nonce parameters

Here's our working setup:

SSO-API-GW.png

I'll mark this comment as accepted solution, hope it would help someone.

 

/ Constantine

Vilia (my company) | GitHub | LinkedIn
0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags