API Gateway OAuth 2.0 authentication flows
Learn about the supported OAuth 2.0 flows in detail, and how to run sample scripts demonstrating the flows.
1 minute read
API Gateway includes sample Jython scripts for all supported OAuth flows. For example, to run a sample script for the implicit grant flow:
sh run.sh oauth/implicit_grant.py
In addition to the following flows, API Gateway also supports:
- Refresh token flow – After the client application has been authorized for access, it can use a refresh token to get a new access token. This is only done after the consumer already has received an access token using the authorization code grant or resource owner password credentials flow.
- SAML assertion flow – The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This flow is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server.
The authorization code or web server flow is suitable for clients that can interact with the end-user’s user-agent (typically a web browser), and that can receive incoming requests from the authorization server (can act as an HTTP server).
The implicit grant (user agent) authentication flow is used by client applications (consumers) residing on the user’s device.
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client (for example, the device operating system or a highly privileged application).
This user name and password flow is used when the client application needs to directly access its own resources on the resource server. Only the client application’s credentials are used in this flow. The resource owner’s credentials are not required.
This flow is similar to OAuth 2.0 client credentials. In the OAuth 2.0 JWT flow, the client application is assumed to be a confidential client that can store the client application’s private key.
A revoke token request causes the removal of the client application permissions associated with the particular token to access the end-user’s protected resources.
Use the token information service to validate that an access token was issued by the API Gateway.