OAuth 2.0

Client type (application type)– Confidential– Public

Grant type (handshake/dance)– authorization code– Implicit grant– client credential– resource owner password

Token : Bearer (self contained)

Extension/Customization– Added Values

Allow you to share your resources with a third party application without sharing your credentials with the third party application

Authorization Code Grant Type

Authorization EndpointObtain authorization/consent from end user

Token EndpointExchange a temporary authorization for the actual access permission

(in the form of access_token)

AuthorizationEndpoint

TokenEndpoint

DataPower Enforcement for Resource Server

Authorization Code

4

Alice launches an application

Resource Owner(Alice)

OAuth 2.0 – Authorization Code

authz

token

DataPower

resource

5

Resource Owner(Alice)

OAuth 2.0 – Authorization Code

HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.

authz

token

DataPower

resource

6

Resource Owner(Alice)

OAuth 2.0 – Authorization Code

HTTP 302..A temporary code is issued to the application

authz

token

DataPower

resource

7

Resource Owner(Alice)

OAuth 2.0 – Authorization Code

HTTPAuthorization: Basic client_id:client_secret

Exchange temporary code for access permission

authz

token

DataPower

resource

8

Resource Owner(Alice)

OAuth 2.0 – Authorization Code

Access resource with access_token

authz

token

DataPower

resource

Implicit

10

Alice launches an application

Resource Owner(Alice)

OAuth 2.0 – Implicit

authz

DataPower

resource

11

Resource Owner(Alice)

OAuth 2.0 – Implicit

HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.

authz

DataPower

resource

12

Resource Owner(Alice)

OAuth 2.0 – Implicit

HTTP 200..access_token is returned

authz

DataPower

resource

13

Resource Owner(Alice)

OAuth 2.0 – Implicit

authz

DataPower

resource

Resource Owner

15

Resource Owner(Alice)

OAuth 2.0 – Resource Owner

authz

DataPower

resource

requestAuthorization: Basic client_id:client_secretusername & password

responseaccess_token=xxxx

16

Resource Owner(Alice)

OAuth 2.0 – Resource Owner

authz

DataPower

resourceaccess_token=xxxx

Client Credentials

18

Resource Owner(Alice)

OAuth 2.0 – Client Credentials

authz

DataPower

resource

requestAuthorization: Basic client_id:client_secret

responseaccess_token=xxxx

19

Resource Owner(Alice)

OAuth 2.0 – Client Credentials

authz

DataPower

resource

access_token=xxxx

Customization 3 DataPower grant types

– Validation grant : urn:ibm:datapower:validate

– Client Revoke Accessgrant : urn:ibm:datapower:client:revoke

– Resource Owner Revoke Accessgrant : urn:ibm:owner:revoke

Extensibility thru different “plug points” during OAuth handshake/dance

– This provides customization to the behavior of OAuth

Use cases

Resource Server

DataPower

DataPower access_token

Authorization Server

Access resources with access_token

Resource Server

DataPower

DataPower access_token

Authorization Server

Access resources with access_token

Resource Server

DataPower

access_token

Other Authorization ServerIBM TFIM

Ping Federation ?

Access resources with access_token

Resource Server

DataPower

DataPower access_token

Authorization Server

Access resources with access_token

Resource Server

DataPower

access_token

Other Authorization ServerIBM TFIM

Ping Federation ?

Access resources with access_token

Resource ServerDataPower access_token

Authorization Server

Access resources with access_tokenPEP