Open Authorization (OAuth) – IBM API connect 2018s
What is OAuth?
OAuth is an open-standard token-based authorization protocol or framework that provides third-party websites or applications ability for “secure designated access” – user data without requiring the user to share personal information
OAuth is about authorization and not authentication. OAuth will not pass authentication data between consumers and service providers. It instead acts as an authorization token. User get to specify the consumers what they can use and what they cannot use from each service provider. User can give access to each consumer to a different set data. Consumer never have the full key or any of the private data that gives them access to the full key.
Implementation of OAuth in IBM API connect 2018
There are three primary players in an OAuth transaction: the user, the consumer, and the service provider…
1. The user: Who possesses data that is accessed through the API and wants to allow the application to access it.
2. The application: Which is to access the data through the API on the user’s behalf.
3. The OAuth provider API: Which controls and enables access to the user’s data.
High-level authorization flow
1. Sending authorization request from Book My Trip to Facebook Authorization Server
2. Request sent to Resource user (fb login screen) by authorization server
3. Validate authenticated user by authorization server
4. Sent Permission popup to Resource user by authorization server
5. Resource user grant permission sent back to the authorization server (/auth endpoint)
6. Authorization server generated authorization code
7. Sending authorization code to authorization server to get access token
8. Authorization server will send access token to Book My Trip client
9. Book My Trip will sent the access token to Resource server to get the users confidential information
10. Resource server will validate the access token by sending it to authorization server.
11. After validation the response from Authorization will send back to the Resource server
12. Now, Resource server will send the Users confidential (protected) information to Book My Trip
The user never had to share his credentials with consumer. User simply delegated access using OAuth in a secure manner. OAuth also allows for granular permission levels. The API will grant access only when it receives a valid access token from the application. How the application obtains an access token is dependent upon the OAuth scheme that is in use.