How-To: OAuth Overview

qtq80-7juko0

Today we’re going to take a look at the Layer 7 API Management OAuth toolkit or OTK.

For most customers, the OTK is not an optional Gateway add-on. It is an essential product used in the API management lifecycle for securing client authorization and authentication. The OTK implements security using a combination of the OAuth 2.0 (authorization) and OpenID Connect (authentication) protocols.

The OAuth 2.0 industry standard authorization protocol defined in IETF RFC 6749 permits a user to grant an application access to a protected resource without exposing the user’s password credentials. An OAuth access token is issued and accepted for user authorization at the API endpoint.

The OTK also implements OpenID Connect workflows to provide authentication with additional end-user identity validation and single-sign on.

The accompanying video introduces us to a simple OAuth Authorization code workflow where the client application redirects the initial API access request to an authorization server. The authorization server validates the user identity and issues an authorization code from the authorization endpoint back to the client. The authorization code is then exchanged for an access token at the token endpoint. The access token is accepted by the resource server at the protected endpoint. Granted scopes inside the access token can limit access to a subset of protected resources. No user credentials are exposed to the resource server.

The authorization server can be a social login platform, such as Google, or Facebook. 

For more information, watch the video below.


blog written with Simon Crum

Aric Day

Aric Day

Aric is based in Minneapolis, MN and has been managing Enterprise API programs for more than 10 years as both an operations sysadmin and an api security consultant designing api integration standards. He currently serves Layer7 North American core accounts within the central and western regions. In previous roles he has worked as an automation and api security consultant with both Accenture and Best Buy. Aric has an engineering degree from the University of Minnesota. He is active as a youth hockey coach in winter and enjoys getting outdoors during the brief MN summer months.

Share With Your Network

Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on facebook
Facebook
Share on email
Email
Share on print
Print

More From The API Academy

Scroll to top