© 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.
OAuth 2.0 with IBM WebSphere DataPower
-
Upload
shiu-fun-poon -
Category
Technology
-
view
1.553 -
download
14
description
Transcript of OAuth 2.0 with IBM WebSphere DataPower
![Page 1: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/1.jpg)
OAuth 2.0
Client type (application type)– Confidential– Public
Grant type (handshake/dance)– authorization code– Implicit grant– client credential– resource owner password
Token : Bearer (self contained)
Extension/Customization– Added Values
Allow you to share your resources with a third party application without sharing your credentials with the third party application
Authorization Code Grant Type
![Page 2: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/2.jpg)
Authorization EndpointObtain authorization/consent from end user
Token EndpointExchange a temporary authorization for the actual access permission
(in the form of access_token)
AuthorizationEndpoint
TokenEndpoint
DataPower Enforcement for Resource Server
![Page 3: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/3.jpg)
Authorization Code
![Page 4: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/4.jpg)
4
Alice launches an application
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
authz
token
DataPower
resource
![Page 5: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/5.jpg)
5
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.
authz
token
DataPower
resource
![Page 6: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/6.jpg)
6
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTP 302..A temporary code is issued to the application
authz
token
DataPower
resource
![Page 7: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/7.jpg)
7
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTPAuthorization: Basic client_id:client_secret
Exchange temporary code for access permission
authz
token
DataPower
resource
![Page 8: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/8.jpg)
8
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
Access resource with access_token
authz
token
DataPower
resource
![Page 9: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/9.jpg)
Implicit
![Page 10: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/10.jpg)
10
Alice launches an application
Resource Owner(Alice)
OAuth 2.0 – Implicit
authz
DataPower
resource
![Page 11: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/11.jpg)
11
Resource Owner(Alice)
OAuth 2.0 – Implicit
HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.
authz
DataPower
resource
![Page 12: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/12.jpg)
12
Resource Owner(Alice)
OAuth 2.0 – Implicit
HTTP 200..access_token is returned
authz
DataPower
resource
![Page 13: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/13.jpg)
13
Resource Owner(Alice)
OAuth 2.0 – Implicit
authz
DataPower
resource
![Page 14: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/14.jpg)
Resource Owner
![Page 15: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/15.jpg)
15
Resource Owner(Alice)
OAuth 2.0 – Resource Owner
authz
DataPower
resource
requestAuthorization: Basic client_id:client_secretusername & password
responseaccess_token=xxxx
![Page 16: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/16.jpg)
16
Resource Owner(Alice)
OAuth 2.0 – Resource Owner
authz
DataPower
resourceaccess_token=xxxx
![Page 17: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/17.jpg)
Client Credentials
![Page 18: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/18.jpg)
18
Resource Owner(Alice)
OAuth 2.0 – Client Credentials
authz
DataPower
resource
requestAuthorization: Basic client_id:client_secret
responseaccess_token=xxxx
![Page 19: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/19.jpg)
19
Resource Owner(Alice)
OAuth 2.0 – Client Credentials
authz
DataPower
resource
access_token=xxxx
![Page 20: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/20.jpg)
Customization 3 DataPower grant types
– Validation grant : urn:ibm:datapower:validate
– Client Revoke Accessgrant : urn:ibm:datapower:client:revoke
– Resource Owner Revoke Accessgrant : urn:ibm:owner:revoke
Extensibility thru different “plug points” during OAuth handshake/dance
– This provides customization to the behavior of OAuth
![Page 21: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/21.jpg)
Use cases
![Page 22: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/22.jpg)
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
![Page 23: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/23.jpg)
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
Resource Server
DataPower
access_token
Other Authorization ServerIBM TFIM
Ping Federation ?
Access resources with access_token
![Page 24: OAuth 2.0 with IBM WebSphere DataPower](https://reader033.fdocuments.net/reader033/viewer/2022052200/554a26eab4c90526578b4a32/html5/thumbnails/24.jpg)
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
Resource Server
DataPower
access_token
Other Authorization ServerIBM TFIM
Ping Federation ?
Access resources with access_token
Resource ServerDataPower access_token
Authorization Server
Access resources with access_tokenPEP