1 minute read
API Gateway can use the OAuth 2.0 protocol for authentication and authorization. API Gateway can act as an OAuth 2.0 authorization server and supports several OAuth 2.0 flows that cover common web server, JavaScript, device, installed application, and server-to-server scenarios.
API Gateway includes sample Jython scripts for all supported OAuth flows. For example, to run a sample script for the implicit grant flow:
cd INSTALL_DIR/samples/scripts/oauth
sh run.sh oauth/implicit_grant.py
In addition to the following flows, API Gateway also supports:
The authorization code or web server flow is suitable for clients that can interact with the end-user’s user-agent (typically a web browser), and that can receive incoming requests from the authorization server (can act as an HTTP server).
The implicit grant (user agent) authentication flow is used by client applications (consumers) residing on the user’s device.
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client (for example, the device operating system or a highly privileged application).
This user name and password flow is used when the client application needs to directly access its own resources on the resource server. Only the client application’s credentials are used in this flow. The resource owner’s credentials are not required.
This flow is similar to OAuth 2.0 client credentials. In the OAuth 2.0 JWT flow, the client application is assumed to be a confidential client that can store the client application’s private key.
A revoke token request causes the removal of the client application permissions associated with the particular token to access the end-user’s protected resources.
Use the token information service to validate that an access token was issued by the API Gateway.