Secure an API with OAuth

API proxies can be secured with a client authentication policy. Learn how to set up an OAuth front-end security policy on an API proxy.

3 minute read

Before you start

  • You will need a client ID, issuer, and metadata path provided by your third-party OAuth server.
  • The authorization server must issue signed JWT access tokens.
  • The authorization server must issue tokens with Amplify Central in the aud claim.

Objectives

Learn how to set up an OAuth front-end security policy on an API proxy.

Add OAuth security to an API proxy

Follow these steps to require an OAuth policy on an API proxy:

  1. Select the API proxy.
  2. Click the Policies tab.
  3. Click the gear icon next to Client authentication.
  4. On the dialog box, select OAuth Token from the Authentication type list.
  5. On the Deployments tab, click Deploy to deploy or update a runtime group with the OAuth security.

Watch the animation to learn how to do this in AMPLIFY Central UI.

Add OAuth security

Use an API proxy secured with an OAuth policy

To use the proxy, the provider must first set up a third-party OAuth server with a valid application. A single application from the third-party server’s application will directly relate to a single AMPLIFY Central application.

Create an application profile

After you have created an application within your third-party OAuth server, you must create an application profile to use your secured proxy.

  1. Select Apps in the left navigation bar, and click your API proxy in the list.
  2. On the Identity Profiles tab, click + OAuth Profile to add an Oauth profile.
  3. Enter the required information, and click Save.

Make an API call

  1. Inside the API proxy with an OAuth Client authentication policy, click the Test Methods tab.
  2. If you have more than one valid deployment, choose the one to test. If you only have one, it is automatically selected for you.
  3. If you have more than one valid OAuth profile, choose the one to test. If you only have one, it is automatically selected for you.

When you select a valid OAuth profile, you will see your Client ID displayed in a read-only field. This will assist you, the provider, in generating an OAuth token from the correct application in your third-party OAuth server.

After your third-party OAuth server has generated a valid OAuth token, paste that token into the OAuth token field. You can now attempt to make valid API calls with your proxy.

Review

You have learned how to set up an OAuth front-end security policy on an API proxy in AMPLIFY Central.