Build cookie-to-token converter on Google API Gateway

Build cookie-to-token converter on Google API Gateway

Open position:

Build cookie-to-token converter on Google API Gateway


During this internship, you will develop a framework on Google’s API Management platform to manage access tokens for a web client. The relationship between the API Management platform and the client application(s) will be maintained with standard cookies. So basically, you will develop a cookie to access token “converter”. Some sort of “cookie monster” if you prefer that term. 

The development will not be done with standard programming languages, but by leveraging the built-in building blocks, the so-called “policies”, of the API Management platform. Primary platform that you will be learning and using is the Apigee API Management platform of Google. If time allows (e.g. 2 students), we may opt to implement the solution on a 2nd API Management platform (IBM, WSO2 …). 


Modern web clients can invoke API’s directly, interacting with the Authorization Server and managing access tokens themselves. But there are strong opinions that a web application should stick to the use of cookies and that only a server component should interact with the Authorization Server. 

This question is largely related to the discussion on the use of “public” OAuth client applications that cannot keep secrets vs. the use of confidential clients that can keep secrets. With confidential clients, the Authorization Server is also assured that it is talking to the right client application. 

A standard approach is to introduce a Back-end For Front-end (BFF), an extra server component that manages the communication between the web client on the one hand and the communication with the back-end API’s on the other hand. But that BFF we want to avoid and implement with the API gateway instead. 

Internship assignment

So in this internship you’ll design and develop a solution on the Google Apigee API Gateway to maintain web browser sessions with cookies while the API Gateway manages the access tokens on behalf of the web clients. 

The approach is partially inspired by the book “API Security in Action”. 

Ultimate goal is to open source your work and share it via GitHub with the Apigee community and publish an article about it. 

What you will learn

  • Applying API Security in a real-life context
  • Working with API Management platform, Apigee from Google in particular
  • API Security in detail: OAuth2 & OpenID Connect
  • Low(er)-code software development (no standard programming)

Who should apply?

  • You are a student who’s not afraid of a challenge
  • You are eager to learn new technologies
  • You’re able to work independently
  • You understand REST API’s in context of web browsers
  • You have basic API Security knowledge

Apply now!

Interested in getting to know us better? Then apply now:

Working at i8c

i8c is a system integrator that strives for an informal atmosphere between its employees, who have an average age of approx 30 years old. We invest a lot of effort in the professional development of each individual, through a direct connection between the consultants and the management (no multiple layers of middle management). We are based in Kontich, near Antwerp, but our customers are mainly located in the triangle Ghent-Antwerp-Brussels and belong to the top 500 companies in Belgium (Securex, Electrabel, UCB, etc…).

Quality Assurance

i8c is committed to delivering quality services and providing customer satisfaction. That’s why we invested in the introduction of a Quality Management System, which resulted in our ISO9001:2000 certification. This guarantees that we will meet your expectations, as a reliable, efficient and mature partner for your SOA & integration projects.

i8c - ISO9001-2015