How-To: OAuth Overview

Today we’re going to take a look at the Layer 7 API Management OAuth toolkit or OTK.

For most customers, the OTK is not an optional Gateway add-on. It is an essential product used in the API management lifecycle for securing client authorization and authentication. The OTK implements security using a combination of the OAuth 2.0 (authorization) and OpenID Connect (authentication) protocols.

The OAuth 2.0 industry standard authorization protocol defined in IETF RFC 6749 permits a user to grant an application access to a protected resource without exposing the user’s password credentials. An OAuth access token is issued and accepted for user authorization at the API endpoint.

The OTK also implements OpenID Connect workflows to provide authentication with additional end-user identity validation and single-sign on.

The accompanying video introduces us to a simple OAuth Authorization code workflow where the client application redirects the initial API access request to an authorization server. The authorization server validates the user identity and issues an authorization code from the authorization endpoint back to the client. The authorization code is then exchanged for an access token at the token endpoint. The access token is accepted by the resource server at the protected endpoint. Granted scopes inside the access token can limit access to a subset of protected resources. No user credentials are exposed to the resource server.

The authorization server can be a social login platform, such as Google, or Facebook. 

For more information, watch the video below.

blog written with Simon Crum